# Rootkit Revealer [Moved from XP -- needs help]



## sweets_792 (Nov 14, 2005)

hi everyone,

i am looking for some help as to what my next step should be. i went searching the other day looking for free serial numbers. i can across a website called crackspider.com. well apparently that website is just bad news. it gave me viruses and tons of sypware. my windows xp security turned my desktop blue with a red sign that read SPYWARE INFECTION! and a red x at the bottom of the screen that kept popping up saying i have spyware and to click here so windows can install the latest spyware program for me to use. well i did that, but it only scanned my computer. i would have needed to pay to have the spyware removed. it was very annoying. nothing was helping my situation and i couldnt use alot of stuff on my computer. i managed to download spybot and that got rid of the warnings and everything seemed back to normal. my original desktop wallpaper came back, but i cant change it to anything else. the place to do that has it all grayed out still. also i still cant get into my windows firewall settings. the spyware shutdown my windows firewall and i cant get it back up and running, so in the meantime i am using AVG with firewall 30 day free trial. i dont dare to go into any back offices of my websites or anything like that till everything is as it was before. can anyone help me? do i still have spyware that i need to get rid of or do i need to fix a problem with my windows? help!!!!


----------



## Cheeseball81 (Mar 3, 2004)

Welcome to TSG 

Click here to download *HJTsetup.exe*: http://www.thespykiller.co.uk/files/HJTSetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## sweets_792 (Nov 14, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 3:53:47 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\msnappm.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\OP7WMW6G\AOLToolbar[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Jemfjf] c:\Program Files\Mypur\Xuwtf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Iuo] C:\WINDOWS\System32\lsmrkag.exe
O4 - HKCU\..\Run: [bwp5RPKsS] resfile.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [msn] msnmsg.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## sweets_792 (Nov 14, 2005)

someone who understands what the above log means, please post. tell me what my next step should be.


----------



## Sequal7 (Apr 15, 2001)

Hope the software your cracking is at least worth the troubles.

Last I heard of this rampant infection MS antispware was looking into it. 
Have you tried that software?
http://www.microsoft.com/athome/security/spyware/software/default.mspx
It most likely will remove it for you (whatever spybot missed that is)

Also, Ewido is supposed to work very well for infections.
http://www.ewido.net/en/

Looks like you also may have LSP hijacking and about:blank infections and Imnot sure if they willbe repaired so someone else will help you with those.


----------



## sweets_792 (Nov 14, 2005)

i have used ms antispyware. it didnt help me out much. spybot has been the best for me so far.

i am just waiting for Cheeseball81 to respond to my hijackthis log he told me to post...


----------



## Cheeseball81 (Mar 3, 2004)

Those LSP entries are legitamite ones.

Click here to download the trial version of *Ewido Security Suite*: 
http://www.ewido.net/en/download/

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· *DO NOT* run a scan yet.

Restart your computer into *Safe Mode* now. 
(Start tapping the *F8* key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:

* Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

*Post a new Hijack This log and the results of the Ewido scan.*


----------



## sweets_792 (Nov 14, 2005)

ok im doing this now...i will be back soon with the results.


----------



## Cheeseball81 (Mar 3, 2004)

:up:


----------



## MrBillPro (Mar 1, 2003)

sweets_792 said:


> hi everyone,
> 
> i am looking for some help as to what my next step should be. i went searching the other day looking for free serial numbers. i can across a website called crackspider.com. well apparently that website is just bad news.


Hey, at least your honest bet not many here would even admit what you admited, I have been there done that before also a couple years ago but I learned my lesson and just purchase it the right way now.


----------



## sweets_792 (Nov 14, 2005)

Here are the results:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:39:07 PM, 11/14/2005
+ Report-Checksum: 9BF39DED

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\.Owner -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WinFormX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WinFormX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/OLEPRO32.DLL\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Error during cleaning
:mozilla.23:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\tof1wfro.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\0CDJUDT5\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupons : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.x : Cleaned with backup

::Report End

______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 6:42:40 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\msnappm.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Jemfjf] c:\Program Files\Mypur\Xuwtf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Iuo] C:\WINDOWS\System32\lsmrkag.exe
O4 - HKCU\..\Run: [bwp5RPKsS] resfile.exe
O4 - HKCU\..\RunServices: [msn] msnmsg.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## sweets_792 (Nov 14, 2005)

waiting for next step...thanks!!


----------



## Cheeseball81 (Mar 3, 2004)

Be back shortly with instructions


----------



## Cheeseball81 (Mar 3, 2004)

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
*DO NOT* run it yet.

Click *Start*  *Run* - and type in:

*services.msc*

Click OK.

In the services window find: *.NET Framework Service*

Right click and choose *Properties*. On the *General* tab under *Service Status* click the *Stop* button to stop the service. Beside *Startup Type* in the dropdown menu select *Disabled*. Click *Apply* then *OK*. Exit the Services utility.

*Note: *You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Rescan with Hijack This.
Close all browser windows except Hijack This, 
Put a check mark beside these entries and click "Fix Checked".

*R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)*

*O4 - HKLM\..\Run: [Jemfjf] c:\Program Files\Mypur\Xuwtf.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe

O4 - HKCU\..\Run: [Iuo] C:\WINDOWS\System32\lsmrkag.exe

O4 - HKCU\..\Run: [bwp5RPKsS] resfile.exe

O4 - HKCU\..\RunServices: [msn] msnmsg.exe

O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)*

Boot into *Safe Mode*.

Double-click on Killbox.exe to run it. 
Now put a tick by Standard File Kill. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file. 
Click Yes. 
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*c:\Program Files\Mypur\Xuwtf.exe

C:\WINDOWS\msnappm.exe

C:\WINDOWS\System32\lsmrkag.exe

C:\WINDOWS\System32\resfile.exe

C:\WINDOWS\System32\msnmsg.exe*

Note: It is possible that Killbox will tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the KillBox.

Find and delete these folders:

*c:\Program Files\Mypur

c:\Program Files\Viewpoint*

Also in Safe Mode navigate to the C:\Windows\Temp folder. 
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. 
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.


----------



## sweets_792 (Nov 14, 2005)

New Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:10 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cheeseball81 (Mar 3, 2004)

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find:

*.NET Framework Service*

Right click and choose "Properties". 
On the "General" tab under "Service Status" click the "Stop" button to stop the service. 
Beside "Startup Type" in the dropdown menu select "Disabled". 
Click Apply then OK. 
Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. 
If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

In Hijack This, click on the "Open Misc Tools section" button. 
Next click the "Delete an NT service" button. 
Copy and paste the following in that box:

*.NET Connection Service*

Click OK.

Reboot, post a new log.

How are things now?


----------



## sweets_792 (Nov 14, 2005)

I am still unable to change my desktop wallpaper, the choices are all grayed out and i cant click browse. Also, I still cant get into my windows firewall. This is the message I keep getting: Due to an unidentified problem, Windows cannot display Windows Firewall settings.

Here is my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:30 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cheeseball81 (Mar 3, 2004)

I just realized I missed an entry.

Fix this one too:
*
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll*

* *Click here* to download *smitRem.exe*. 
Save the file to your desktop. 
It is a self extracting file.
Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop. 
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

Boot into *Safe Mode*.

* Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

*Post a new Hijack This log.*


----------



## sweets_792 (Nov 14, 2005)

New Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:35 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cheeseball81 (Mar 3, 2004)

I don't like the looks of the new 020 that has appeared.

Run *Kaspersky* online virus scan here: http://www.kaspersky.com/virusscanner

When the scan is finished, anything that it cannot clean have it delete it. 
Save the results from the scan.

Post the results here.


----------



## sweets_792 (Nov 14, 2005)

ok running scan now...i am now able to change my desktop wallpaper, but i still cant get into my windows firewall...i will post the results of the scan soon.


----------



## Cheeseball81 (Mar 3, 2004)

It might be the virus. I think you have Haxdoor.


----------



## sweets_792 (Nov 14, 2005)

Here is the results. 10 infected objects were found. what is the next step to get rid of them?

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, November 14, 2005 23:57:16
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/11/2005
Kaspersky Anti-Virus database records: 150178
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62587
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 4
Duration of the scan process: 2902 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 12:27:26 +0200]/UNNAMED/UNNAMED/html	Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 12:27:26 +0200]/UNNAMED/UNNAMED	Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 12:27:26 +0200]/UNNAMED/message.scr	Infected: Virus.Win32.Xorala
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 12:27:26 +0200]/UNNAMED	Infected: Virus.Win32.Xorala
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From "[email protected]"<[email protected]>][Date Tue, 26 Jul 2005 13:31:09 +0900]/html	Infected: Trojan-Spy.HTML.Bayfraud.gm
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 11:14:08 +0400]/UNNAMED/UNNAMED/html	Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 11:14:08 +0400]/UNNAMED/UNNAMED	Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 11:14:08 +0400]/UNNAMED/message.scr	Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 26 Jul 2005 11:14:08 +0400]/UNNAMED	Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\Ryan\Local Settings\Application Data\Identities\{04E569C1-9199-4A2F-81D8-275BE374CCC2}\Microsoft\Outlook Express\Deleted Items.dbx	Infected: Email-Worm.Win32.NetSky.q

Scan process completed.


----------



## Cheeseball81 (Mar 3, 2004)

Right click on the Deleted Items folder and select Empty Deleted Items.

Rescan with Hijack This.
Close all browser windows except Hijack This, 
Put a check mark beside these entries and click "Fix Checked".

*O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll*

Boot into Safe Mode and KillBox this file:

*C:\WINDOWS\SYSTEM32\cert32.dll*

Reboot, post a new log.


----------



## sweets_792 (Nov 14, 2005)

I will continue with these next steps tomorrow. thanks for all your help so far!! this site is great!!!


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome  See you tomorrow.


----------



## sweets_792 (Nov 14, 2005)

good morning : )

i guess i am a little confused about this part:
Right click on the Deleted Items folder and select Empty Deleted Items.

could you please explain this a little further? what deleted items folder exactly?

thanks!


----------



## sweets_792 (Nov 14, 2005)

i did a scan with KASPERSKY ON-LINE SCANNER, but i see no way to actually get rid of the viruses. cheeseball told me to Right click on the Deleted Items folder and select Empty Deleted Items. I dont see a deleted items folder anywhere. i need further help with this by cheeseball or anyone else that may know. thanks!!!


----------



## Cheeseball81 (Mar 3, 2004)

The Deleted Items folder in Outlook Express


----------



## sweets_792 (Nov 14, 2005)

where do i locate the deleted items folder in outlook express?


----------



## sweets_792 (Nov 14, 2005)

ok i opened up Outlook Express and saw Deleted Items. I was trying to find it some other way. i emptied that, so i will continue with the next step and report back soon.


----------



## Cheeseball81 (Mar 3, 2004)

It should be under 'Tools' - Empty "Deleted Items" Folder.

Or depending on what version of Outlook you have, it also could be:

Tools menu, select Options.

In Outlook 98, 2000, 2002, or 2003, select the Other tab. In Outlook 97, select the General tab.

Click Empty the Deleted Items folder upon exiting to select it, and then click Apply.


----------



## sweets_792 (Nov 14, 2005)

i did this next step:

Rescan with Hijack This.
Close all browser windows except Hijack This, 
Put a check mark beside these entries and click "Fix Checked".

O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll

Boot into Safe Mode and KillBox this file:

C:\WINDOWS\SYSTEM32\cert32.dll

Killbox could not delete that file.

Here is my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:01 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cheeseball81 (Mar 3, 2004)

Go to this site: http://virusscan.jotti.org/

Use the Browse button at Jotti, navigate to the file's location on your hard drive and submit this file: *C:\WINDOWS\SYSTEM32\cert32.dll*

Let me know what it says regarding the file.


----------



## sweets_792 (Nov 14, 2005)

i went to that site and clicked browse, however i was unable to locate the file, like it actually was deleted even thought killbox said it couldnt delete it. what now?


----------



## Cheeseball81 (Mar 3, 2004)

Download http://www.atribune.org/downloads/HSFix.zip and place it on desktop.

Boot into *Safe Mode*.

Now Unzip the *hsfix.zip* to desktop and double click the Hsfix.bat file inside the hdfix folder it will create there folder

Your taskbar will disappear and the icons on the desk top and in Systray will vanish but will return when the fix is complete.

If the systray icons don't all come back and sometimes in XP they won't immediately, then reboot & that will restore them.

When it has finished please post the log file it makes so we can check.


----------



## sweets_792 (Nov 14, 2005)

hsfix log:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
avpx64
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

-
3. Finding files Located on system
-
ps.a3d
w32tm.exe
C:\WINDOWS\system32\avpx64.sys
C:\WINDOWS\system32\avpx32.dll
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-


----------



## Cheeseball81 (Mar 3, 2004)

Post a new Hijack This log.


----------



## sweets_792 (Nov 14, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 2:03:55 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1123551141\ee\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## dvk01 (Dec 14, 2002)

let's try this 
Please download Process Explorer by Systernals from  HERE

Also download KillBox by Option^Explicit from HERE

*Then boot up in*  SAFE MODE

*the rest of this fix must be done in safe mode.*

Unzip Process Explorer and double click on *procexp.exe*

In the top section of the Process Explorer screen double click on *winlogon.exe* to bring up the winlogon.exe properties screen. Click on the *Threads tab* at the top.

Once you see this screen click on each instance of *C:\WINDOWS\SYSTEM32\cert32.dll* once and then click the *kill* button.

After you have killed all of the *C:\WINDOWS\SYSTEM32\cert32.dll*'s under winlogon click *OK*.

Next double click on *explorer.exe* and bring up the properties screen 
Click on the *Threads* tab at the top.
and again click once on each instance of *C:\WINDOWS\SYSTEM32\cert32.dll* then click the *kill* button.

Once you have done that click *OK* again.

Next run HijackThis and place a check beside each of the following.

O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll

Now click *fix checked* and close HijackThis.

now run killbox and paste This line below into the box, select delete on reboot then press the red X Button, say yes to the 1st prompt But NO to reboot now

C:\WINDOWS\SYSTEM32\cert32.dll

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then let it reboot

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.


----------



## sweets_792 (Nov 14, 2005)

I am unable to run Process Explorer in Safe Mode. I click run and nothing happens. Now what?


----------



## dvk01 (Dec 14, 2002)

Process explorer always runs insafe mode 

all you need to do is double click it's file 

what happens when you do that 

it sometimes takes a minute or 2 while it scans for what is running etc before it displays


----------



## sweets_792 (Nov 14, 2005)

i double click on it and then click run. nothing at all happens. it seemed i waited long enough. perhaps i will try again and wait longer. i will try that and let you know what happens.


----------



## dvk01 (Dec 14, 2002)

don't click run

just double click the file and process explorer opens

read the instructions in post #40 again

nowhere does it say use the run command


----------



## sweets_792 (Nov 14, 2005)

when i double click the process explorer a run command comes up. i click run and nothing happens at all.


----------



## sweets_792 (Nov 14, 2005)

i tried running it in regular mode and nothing happens. the run or cancel command box comes up. i click run and nothing happens after that. this program just isnt working on my computer.


----------



## dvk01 (Dec 14, 2002)

I have never seen taht before

it does sound like as rootkit is hoiding something taht blocks process explorer then

can you do this then please

dowenload 
http://www.f-secure.com/blacklight/

run it & post the log it makes


----------



## sweets_792 (Nov 14, 2005)

i was downloading F-Secure Blacklight and i got an error message: Windows Explorer was not found for the current user. You cannot use Secondary Logon (RunAs) to start F-Secure Blacklight.

what does this mean?


----------



## dvk01 (Dec 14, 2002)

reboot & make sure you log on as you 

it looks like you have somehow either tried to use a limited account or guest account to download & run it 

otherwise something has seriously compromised your computer, in which case I would be very worried and strongly consider a format & reinstall of windows 

Try the reboot first and see what happens


----------



## sweets_792 (Nov 14, 2005)

i restarted the computer and the same thing happened when i tried downloading it again. its telling me i dont have windows explorer. what should my next step be? my goal is to get rid of all my spyware. also the viruses that kasperski online sanner found. and to be able to get into my windows firewall to turn it back on. otherwise i dont feel very safe on the internet.


----------



## dvk01 (Dec 14, 2002)

It's right 

you haven't got an explorer.exe running

please do this 

open HJT press config/misc tools tick the 2 small boxes about minor & empty sections & press generate start up list 

post that back here please 

Have you got a desktop working or is it blank with no icons & task bar


----------



## sweets_792 (Nov 14, 2005)

my computer seems to be working fine except for not being able to get into windows firewall and the viruses that kaspersky found. otherwise i wouldnt know anything was wrong. i will do the HJT thing and report back.


----------



## sweets_792 (Nov 14, 2005)

the startup list was too long to post in the message so i attached it as a file instead.


----------



## dvk01 (Dec 14, 2002)

explorer.exe exists but something is blocking it from being seen 

I haven't seen that before 

go to start/run and type explorer.exe
press ok and see what happens


----------



## sweets_792 (Nov 14, 2005)

the program windows explorer pops up that shows all the stuff on my computer. is this a good thing to happen?


----------



## dvk01 (Dec 14, 2002)

sweets_792 said:


> the program windows explorer pops up that shows all the stuff on my computer. is this a good thing to happen?


that is supposed to happen so that side is ok

It's strange the way that it isn't being seen in running processes so the rootkit is hiding it

let's try this other rootkit detector then

download & run http://www.sysinternals.com/Utilities/RootkitRevealer.html 
save it's log and post back with the log

DO NOT attempt to fix anything it finds as most entries will be legitimate


----------



## sweets_792 (Nov 14, 2005)

i did the scan, but it wouldnt let me save the results. the save box came up and i saved it to my desktop, but its nowhere to be seen. should i try the scan again?


----------



## sweets_792 (Nov 14, 2005)

waiting for next step...


----------



## sweets_792 (Nov 14, 2005)

well i guess no one has any answers. i will try to figure this out myself.


----------



## Cheeseball81 (Mar 3, 2004)

Derek is in the UK, so the time is different there. He'd be back sometime later.


----------



## sweets_792 (Nov 14, 2005)

ok thanks, guess i will wait...unless you have anything further for me.


----------



## Cheeseball81 (Mar 3, 2004)

I'd try running the RootKitRevealer again so he can review the results.


----------



## sweets_792 (Nov 14, 2005)

i did try that again, but still i am unable to save the results to my computer.


----------



## Cheeseball81 (Mar 3, 2004)

I don't know what step he would want to do next. But I know he'd want to do everything in his power so that you would not have to reformat your system.


----------



## sweets_792 (Nov 14, 2005)

thank you. i will wait for him.


----------



## Cheeseball81 (Mar 3, 2004)

:up:


----------



## sweets_792 (Nov 14, 2005)

good morning everyone.

is derek from the uk here?

the kaspersky online virus scanner showed 4 viruses on my computer. last night i downloaded the free trial of kaspersky security suite. it found nothing. does this mean the free trial doesnt really work?


----------



## dvk01 (Dec 14, 2002)

I'm just back from the hospital and am thnking about this one 


can you please do 2 hijackthis logs for me so I can compare them please

I need to see 1 taken in safe mode and 1 taken when in normal mode 

also see if the rootkit revealer log appears on desktop in safe mode I suspect it will do 

Thism is going to be hard to fix I think and one a rootkit is on the computer theya re very difficulkt to get off 

I am starting to suspect the new version of Hacker defender


----------



## sweets_792 (Nov 14, 2005)

hi derek, good to see you again. 

i will post those logs as soon as i can. thanks for your help.

what do you think of avast virus scanner? i just downloaded it.


----------



## sweets_792 (Nov 14, 2005)

i am still unable to find the rootkitreveal log after i save it to the desktop.

hijack logs are attached.


----------



## dvk01 (Dec 14, 2002)

download log2.bat to your desktop from www.thespykiller.co.uk/files/log2.bat

double click it and it will make a list of ALL files and folders in both C:\windows & c:\windows\system32 and a list of all folders in C:\program files so we can plough through them and spot anything dodgy, hopefully

it will only pop up for a quick flash

now go to c:\ and look for log2.txt

It will be too big to upload here so go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload there
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the file on your computer, when the file is listed in the windows press send to upload the files


----------



## sweets_792 (Nov 14, 2005)

i have the log2.txt on my computer. i was unable to view the website to post it on however. i am also suffering from that problem. unable to view websites i could view before. it just goes to a blank white page. i am trying to upload the log2.txt here. so let me know if you can view it.


----------



## dvk01 (Dec 14, 2002)

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select delete on reboot , press the red X button, say yes to the prompt and NO to reboot now then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but do keep a note and let us know

C:\WINDOWS\SYSTEM32\avpx64.sys
C:\WINDOWS\SYSTEM32\ps.a3d
C:\WINDOWS\AUTOLNCH.REG
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\kl.exe
C:\Program Files\RazeSpyware

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

Now reboot

now I need to see & examine these files to determine if they are connected 
C:\WINDOWS\atid.ini
C:\WINDOWS\initialize.bat
C:\WINDOWS\MF_C420.lfa
C:\WINDOWS\MF_C421.lfa
C:\WINDOWS\MF_C425.lfa
C:\WINDOWS\Microsoft.MIF
C:\WINDOWS\patch.exe
C:\WINDOWS\protect.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\WININIT.INI
C:\WINDOWS\wipdate.log

Hopefully some of them will give a clue to what else is wrong

either upload them to spykiler or if you still cannot connect there then send to me via email to [email protected]


----------



## sweets_792 (Nov 14, 2005)

i tried deleting these files with killbox:

C:\WINDOWS\SYSTEM32\avpx64.sys
C:\WINDOWS\SYSTEM32\ps.a3d
C:\WINDOWS\AUTOLNCH.REG
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\kl.exe
C:\Program Files\RazeSpyware

i had it on delete on reboot but when i clicked the red x nothing would happen, so i continued with the next step and rebooted.

now im not sure how to have you examine these files:

C:\WINDOWS\atid.ini
C:\WINDOWS\initialize.bat
C:\WINDOWS\MF_C420.lfa
C:\WINDOWS\MF_C421.lfa
C:\WINDOWS\MF_C425.lfa
C:\WINDOWS\Microsoft.MIF
C:\WINDOWS\patch.exe
C:\WINDOWS\protect.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\WININIT.INI
C:\WINDOWS\wipdate.log

do i send you a hijack this log or something?


----------



## dvk01 (Dec 14, 2002)

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\WINDOWS\atid.ini
C:\WINDOWS\initialize.bat
C:\WINDOWS\MF_C420.lfa
C:\WINDOWS\MF_C421.lfa
C:\WINDOWS\MF_C425.lfa
C:\WINDOWS\Microsoft.MIF
C:\WINDOWS\patch.exe
C:\WINDOWS\protect.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\WININIT.INI
C:\WINDOWS\wipdate.log

if you can't get to spykiller still then send them to me via email to [email protected]

I assume you use Outlook Express so 
make a new email adressed to [email protected]

press attach & navigate to each of those files in turn & press attach until they are all attached and press send


----------



## sweets_792 (Nov 14, 2005)

well i sent the first 8 files to the email, i am still unable to access the site. the last 3 i tried to send but it told me one of them has a virus. what should i do?


----------



## sweets_792 (Nov 14, 2005)

well i was able to send you two more files. the one i couldnt send was secure32.html this is the one that has a virus, at least that is what my email client is telling me.


----------



## dvk01 (Dec 14, 2002)

OK delete the secure32.html then 

I'm looking at the others 

so far I want you to delete these files 

C:\WINDOWS\WININIT.INI
C:\WINDOWS\system32\iasada.dll
C:\WINDOWS\secure32.html
C:\WINDOWS\protect.exe

then post a fresh HJT log please and tell us if you can get to the other sites properly yet


----------



## dvk01 (Dec 14, 2002)

Also go to add/remove programs & uninstall Zero knowledge ( freedom) if there

it is a security package that several ISP's do issue from time to time you must have used at some previous time & I think it's causing problems now


----------



## dvk01 (Dec 14, 2002)

can you open killbox, click on file/logs select actions history log & paste taht back here so I can see what actually has been deleted and what still exists


----------



## sweets_792 (Nov 14, 2005)

hi derek,

thanks for your help.

how should i delete these files?
C:\WINDOWS\WININIT.INI
C:\WINDOWS\system32\iasada.dll
C:\WINDOWS\secure32.html
C:\WINDOWS\protect.exe

manually or with hijack this?

i have gotten rid of Zero Knowledge. Freedom is a product my ISP gave me for free. i really dont like it though.

i will follow with your steps once i am clear on how to do it.

thanks!


----------



## dvk01 (Dec 14, 2002)

either delete them manually or with kilbox it's your choice

killbox is probably easier


----------



## sweets_792 (Nov 14, 2005)

thanks derek, i will do that and let you know what happens.

i also encountered another problem. i am unable to open already saved word documents on my computer. a box pops up saying it needs to install microsoft office xp, but i already have it on my computer. i didnt get rid of it. i can open word first then open the document i want to look at. thats the only way i can do it. am i missing a file or something? did the virus do it?


----------



## sweets_792 (Nov 14, 2005)

killbox told me these two files do not exist.
C:\WINDOWS\system32\iasada.dll
C:\WINDOWS\secure32.html

should i just go in and delete them manually?


----------



## sweets_792 (Nov 14, 2005)

I have a file like this:
C:\WINDOWS\system32\iasads.dll

is that what you meant?

i tried looking for this file
C:\WINDOWS\secure32.html

i couldn't find it. maybe killbox did delete it.

should i restart after all these files are deleted?


----------



## dvk01 (Dec 14, 2002)

this file C:\WINDOWS\system32\iasads.dll is a good one so don't deletee it

if the other one doesn't exist don't worry 

the word problem is an associations problem and the easiest way to cure it is to reinstall word 

many viruses do damage the file associations


----------



## sweets_792 (Nov 14, 2005)

yeah i was afraid i would have to reinstall it, but i dont have the cd or anything. is there a way to reinstall it right on the computer?

Here is my new Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:51 PM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123551141\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SFVNA - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\SFVNA.exe (file missing)
O23 - Service: SSELTVRRWY - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\SSELTVRRWY.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## dvk01 (Dec 14, 2002)

you can try add/remove programs & select word, then repair but it normally asks for the cd to do that


----------



## sweets_792 (Nov 14, 2005)

so any idea how to fix the other problems? not being able to access my windows firewall and some websites?

is there still a virus or spyware in my computer causing these problems?


----------



## dvk01 (Dec 14, 2002)

yes you still have the rootkit there
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll

but as both rootkit revealer & blacklite are unable to find it or run it looks very difficult to cure 

normally in such cases we would advise for safety reasons to format & reinstall windows and all applications as we can not guarantee that the rootkit will be removed in any other way


----------



## dvk01 (Dec 14, 2002)

let's try this first

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!


----------



## sweets_792 (Nov 14, 2005)

i have attached the WinPFind results.


----------



## dvk01 (Dec 14, 2002)

have you got the XP full install disc as I think we ar going to have to use the recovery console to attempt to delete this one 

I really don't like the way taht none of the rootkit detectors will run properly so if it was my computer I would format & start from scratch


----------



## sweets_792 (Nov 14, 2005)

well i dont have the XP full install disk, so im looking for other solutions to my problems.

here are my problems:
1. i cant access windows firewall, i get a message saying due to an unidentified problem, windows firewall settings cannot be displayed

2. i cant access some websites i could access before. it just goes to a blank page.

3. i cant open already saved word documents on my computer. it prompts me to reinstall microsoft office xp. i have to open word first then open the documents that way.

how do i fix these problems?


----------



## dvk01 (Dec 14, 2002)

I can't see anyway to safely fix this one 

it's going to need a complete wipeout & reinstall


----------



## sweets_792 (Nov 14, 2005)

ok thanks for all your help anyway.


----------



## sweets_792 (Nov 14, 2005)

Here is my rootkit revealer results.

anything wrong?

C:\!KillBox\cert32.dll	11/15/2005 1:07 PM	32.31 KB	Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\0532dd79ca72cb67d0a287b3c80f9fbe7e9ab953\metrics\rawdata\E069B697-42B1-4841-B5B5-3E6818DD9DB3.1132162813.tlv	11/16/2005 12:40 PM	1.29 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt	11/16/2005 12:37 PM	188 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt	11/16/2005 12:35 PM	187 bytes	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS	11/16/2005 7:09 AM	36 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS	11/16/2005 6:45 AM	36 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\238LBGM3\CA885H7M.htm	11/16/2005 12:39 PM	7.05 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\AVYB03WA\showthread[4].htm	11/16/2005 12:39 PM	73.05 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\MJCJYJ69\CANXJBAG.png	11/16/2005 12:39 PM	153 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\NSPELDGF\CAT9LV6U.:Zone.Identifier	8/15/2005 4:18 PM	26 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\OP7WMW6G\CAMVKLMJ.png	11/16/2005 12:39 PM	155 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\OP7WMW6G\CASB2VOP.htm	11/16/2005 12:39 PM	5.78 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\OP7WMW6G\CASTA3CN.htm	11/16/2005 12:39 PM	3.43 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\OP7WMW6G\forumdisplay[1].htm	11/16/2005 5:35 AM	83.85 KB	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\QTCLIXOJ\forumdisplay[1].htm	11/16/2005 12:39 PM	84.84 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\T2WQJAXL\CAYJ0FU3.htm	11/16/2005 12:39 PM	64 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiCL0001.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP10000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP20000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiPT0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSL0001.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSP0000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiST0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiVP0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\INDEX.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiCL0001.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP10000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP20000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiPT0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSL0001.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSP0000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiST0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiVP0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\INDEX.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert32.dll	11/16/2005 6:47 AM	32.31 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert32.dll:KAVICHS	11/16/2005 6:47 AM	36 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert32.sys	11/12/2005 12:48 PM	4.00 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert64.sys	11/16/2005 5:26 AM	15.89 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert64.sys:KAVICHS	11/16/2005 5:26 AM	68 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012005031220050313\index.dat	3/12/2005 6:12 PM	32.00 KB	Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012005031220050313\index.dat:KAVICHS	3/12/2005 6:12 PM	36 bytes	Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SYSTEM32\klogini.dll	11/12/2005 12:48 PM	0 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\p3.ini	11/16/2005 6:47 AM	320 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\p3.ini:KAVICHS	11/16/2005 6:47 AM	68 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\qy.sys	11/12/2005 12:48 PM	4.00 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\qz.dll	11/12/2005 12:48 PM	32.31 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\qz.sys	11/12/2005 12:48 PM	15.89 KB	Hidden from Windows API.


----------



## Rollin' Rog (Dec 9, 2000)

Yes, but this should have been posted in the Security forum. I will move it there.


----------



## Cookiegal (Aug 27, 2003)

I have merged both of your threads together as we don't want to go through all of what has been done before and this relates to the same problem.

Now we can see the rootkit but before proceeding, please post a new HijackThis log as well.

As Derek mentioned before, this computer is seriously compromised and the best option would be to reformat and start over.


----------



## sweets_792 (Nov 14, 2005)

does reformat mean reinstall or just repair?


----------



## Cookiegal (Aug 27, 2003)

It means reinstall, wipe everything clean.


----------



## sweets_792 (Nov 14, 2005)

what are the steps i need to take to do this? what do i do with everything on my computer that i need to keep? and what do i know for sure i need to keep?


----------



## sweets_792 (Nov 14, 2005)

i have a folder on my computer called minidump 

what is it?

it has files that end with .dmp

what does that mean?


----------



## sweets_792 (Nov 14, 2005)

here is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:28:43 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cookiegal (Aug 27, 2003)

The minidump is a folder containing data pertaining to a system crash. It's harmless.

You need the XP CD to reformat and from what I read in the other thread, I don't believe you have one, so let's continue.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*
C:\WINDOWS\SYSTEM32\cert32.dll

C:\WINDOWS\SYSTEM32\cert32.sys

C:\WINDOWS\SYSTEM32\cert64.sys

C:\WINDOWS\SYSTEM32\klogini.dll

C:\WINDOWS\SYSTEM32\p3.ini

C:\WINDOWS\SYSTEM32\qy.sys

C:\WINDOWS\SYSTEM32\qz.dll 
*

*Note: * It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Boot back to Windows normally and post another HijackThis log please.


----------



## sweets_792 (Nov 14, 2005)

i have done this sort of procedure before. i was told to delete files using killbox but everytime it would tell me that the file could not be deleted. none of the files you listed above could be deleted from my computer using killbox. what does this mean?

here is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:22 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cookiegal (Aug 27, 2003)

Please post another log from RootkitRevealer.


----------



## sweets_792 (Nov 14, 2005)

do i have to do rootkitrevealer in safe mode?


----------



## Cookiegal (Aug 27, 2003)

No, you can do it in normal mode.


----------



## sweets_792 (Nov 14, 2005)

it wont run for me in normal mode. i think i was told once to try it in safe mode.


----------



## sweets_792 (Nov 14, 2005)

ok nvm. i had to extract it from winzip first then run it. here are the results. i appreciate any help you can give me. any insight into the weird actings of my computer.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed	12/5/2005 10:40 PM	80 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh	12/5/2005 10:39 PM	4 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{BC5C26ED-B9D5-4AED-8692-AA72B3359240}	12/5/2005 10:38 PM	188 bytes	Windows API length not consistent with raw hive data.
C:\!KillBox\cert32.dll	12/5/2005 8:32 PM	32.31 KB	Hidden from Windows API.
C:\!KillBox\cert32.dll:KAVICHS	12/5/2005 8:32 PM	36 bytes	Hidden from Windows API.
C:\!KillBox\cert32.sys	12/5/2005 8:32 PM	4.00 KB	Hidden from Windows API.
C:\!KillBox\cert64.sys	12/5/2005 8:32 PM	15.89 KB	Hidden from Windows API.
C:\!KillBox\cert64.sys:KAVICHS	12/5/2005 8:32 PM	68 bytes	Hidden from Windows API.
C:\!KillBox\klogini.dll	12/5/2005 8:32 PM	0 bytes	Hidden from Windows API.
C:\!KillBox\p3.ini	12/5/2005 8:33 PM	320 bytes	Hidden from Windows API.
C:\!KillBox\p3.ini:KAVICHS	12/5/2005 8:33 PM	68 bytes	Hidden from Windows API.
C:\!KillBox\qy.sys	12/5/2005 8:33 PM	4.00 KB	Hidden from Windows API.
C:\!KillBox\qz.dll	12/5/2005 8:34 PM	32.31 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Desktop\Sweets Stuff\windows fix it stuff\!KillBox\cert32.dll	12/5/2005 8:43 PM	32.31 KB	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS	12/5/2005 10:39 PM	36 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS	11/27/2005 1:22 PM	36 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\NSPELDGF\CAT9LV6U.:Zone.Identifier	8/15/2005 4:18 PM	26 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiCL0001.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP10000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP20000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiPT0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSL0001.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSP0000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiST0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiVP0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\INDEX.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010002.ci	12/5/2005 10:47 PM	880.00 KB	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010002.dir	12/5/2005 10:47 PM	5.64 KB	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.ci	12/5/2005 10:54 PM	28.00 KB	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.dir	12/5/2005 10:54 PM	526 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiCL0001.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP10000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP20000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiPT0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSL0001.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSP0000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiST0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiVP0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\INDEX.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb	12/5/2005 10:41 PM	64.00 KB	Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SYSTEM32\cert32.dll	12/5/2005 8:32 PM	32.31 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert32.dll:KAVICHS	12/5/2005 8:32 PM	36 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert32.sys	12/5/2005 8:32 PM	4.00 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert64.sys	12/5/2005 8:32 PM	15.89 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\cert64.sys:KAVICHS	12/5/2005 8:32 PM	68 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012005031220050313\index.dat	3/12/2005 6:12 PM	32.00 KB	Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012005031220050313\index.dat:KAVICHS	3/12/2005 6:12 PM	36 bytes	Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SYSTEM32\klogini.dll	12/5/2005 8:32 PM	0 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\p3.ini	12/5/2005 8:40 PM	320 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\p3.ini:KAVICHS	12/5/2005 8:40 PM	68 bytes	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\Q_ENCLIB.DLL	8/1/2001 1:30 PM	72.00 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\Q_ENCLIB.x	8/1/2001 12:30 PM	72.00 KB	Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SYSTEM32\qy.sys	12/5/2005 8:33 PM	4.00 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\qz.dll	12/5/2005 8:34 PM	32.31 KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\qz.sys	11/12/2005 12:48 PM	15.89 KB	Hidden from Windows API.


----------



## sweets_792 (Nov 14, 2005)

waiting for an available tech person...


----------



## Cookiegal (Aug 27, 2003)

Let's try again but with the Delete on reboot option in Killbox.

Boot to safe mode.

Double-click on *Killbox.exe* to run it. Now put a tick by *Delete on Reboot.* In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM32\klogini.dll

C:\WINDOWS\SYSTEM32\p3.ini

C:\WINDOWS\SYSTEM32\cert32.dll

C:\WINDOWS\SYSTEM32\cert32.sys

C:\WINDOWS\SYSTEM32\cert64.sys

C:\WINDOWS\SYSTEM32\qy.sys

C:\WINDOWS\SYSTEM32\qz.dll

C:\WINDOWS\SYSTEM32\qz.sys

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Double check so you dont miss any.

Exit the Killbox.

Reboot and post a new log from RootKit Revealer please.


----------



## sweets_792 (Nov 14, 2005)

i did the steps that you told me with the killbox. i put it on delete on reboot. i put in each file. i clicked the red x. nothing happened. it did not ask me to confirm or reboot now. but i went ahead and did each file anyway and then rebooted. did it delete them or did nothing happen?

i will scan with rootkitreveal and post the results shortly.


----------



## Cookiegal (Aug 27, 2003)

Some problems were reported with the previous version of Killbox. Could you please remove the one you have and redownload the new one from this site:

http://www.downloads.subratam.org/KillBox.exe

Then remove those files again in safe mode please.

Please do this before posting the new RootKitRevealer log.


----------



## sweets_792 (Nov 14, 2005)

ok i will have those results in the morning.


----------



## sweets_792 (Nov 14, 2005)

here are the rootkitrealer results:


HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed	12/7/2005 2:05 PM	80 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh	12/7/2005 2:04 PM	4 bytes	Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS	12/7/2005 2:04 PM	36 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS	11/27/2005 1:22 PM	36 bytes	Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\NSPELDGF\CAT9LV6U.:Zone.Identifier	8/15/2005 4:18 PM	26 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiCL0001.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP10000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP20000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiPT0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSL0001.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSP0000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiST0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiVP0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\Program Files\Dell\Support\UI\Search\catalog.wci\INDEX.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010001.ci	12/7/2005 2:12 PM	888.00 KB	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010001.dir	12/7/2005 2:12 PM	5.74 KB	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010004.ci	12/7/2005 2:17 PM	28.00 KB	Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010004.dir	12/7/2005 2:17 PM	402 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiCL0001.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP10000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP20000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiPT0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSL0001.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSP0000.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiST0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiVP0000.000:KAVICHS	11/16/2005 5:21 AM	36 bytes	Hidden from Windows API.
C:\System Volume Information\catalog.wci\INDEX.000:KAVICHS	11/16/2005 6:53 AM	36 bytes	Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb	12/7/2005 2:06 PM	64.00 KB	Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012005031220050313\index.dat	3/12/2005 6:12 PM	32.00 KB	Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012005031220050313\index.dat:KAVICHS	3/12/2005 6:12 PM	36 bytes	Visible in Windows API, but not in MFT or directory index.


----------



## sweets_792 (Nov 14, 2005)

waiting for an available tech person...


----------



## sweets_792 (Nov 14, 2005)

i just wanted to say the last files you had me delete with the new download of killbox worked this time. and one problem of mine is fixed. i can view the websites that i couldnt view before. now i just have to be able to get into my windows firewall without a box coming up that says due to an unidentified problem, windows firewall settings cannot be displayed. also i want to be able to open word documents on my computer without it trying to install microsoft office xp, which i already have. i must be missing a file or something. if anyone knows where i can get this file, i would greatly appreciate it. anyway thanks for all your help so far. its slowly starting to get back to normal.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log.


----------



## sweets_792 (Nov 14, 2005)

Does it look better? What are my next steps?

Logfile of HijackThis v1.99.1
Scan saved at 6:33:20 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: cert32 - cert32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: YLSFPYQLFHQZR - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\YLSFPYQLFHQZR.exe (file missing)


----------



## Cookiegal (Aug 27, 2003)

Click *Start*  *Run* - and type in:

*services.msc*

Click OK.

In the services window find: *YLSFPYQLFHQZR.*

Right click and choose *Properties*. On the *General* tab under *Service Status* click the *Stop* button to stop the service. Beside *Startup Type* in the dropdown menu select *Disabled*. Click *Apply* then *OK*. Exit the Services utility.

*Note: *You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Rescan with HijackThis and have it fix these entries:

*O20 - Winlogon Notify: cert32 - cert32.dll (file missing)

O23 - Service: YLSFPYQLFHQZR - Unknown owner  
C:\DOCUME~1\Ryan\LOCALS~1\Temp\YLSFPYQLFHQZR.exe (file missing)*

Reboot and post another HijackThis log please.


----------



## sweets_792 (Nov 14, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 6:43:02 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


----------



## Cookiegal (Aug 27, 2003)

The log looks good now. How's everything running?


----------



## sweets_792 (Nov 14, 2005)

computer seems to be doing alright. however, i still can't get into my windows firewall. it says due to an unindentified problem, windows firewall settings cannot be displayed. so i dont know if my firewall is on or off.

also i cant open word documents. it prompts to install microsoft office xp. it seems as though i am missing a file or something. i have to open microsoft word first, then open the file that way.

i have AVG + firewall. it is gonna expire in 5 days though. and i have spybot. what would you recommend for great virus, firewall and spyware protection that is free?


----------



## Rollin' Rog (Dec 9, 2000)

Is there any setting in the AVG firewall that disables the Windows firewall when in use?

Also, copy the Windows firewall message word for word.

run *services.msc* and double click the Windows Firewall .... service and start it if stopped.

Copy any error message.

Verify that each of the following services is also present and started and set to automatic:

network connections
eventlog
Remote Procedure Call
Windows Management Instrumentation

Finally, go to Start > Run, and enter:

*netsh winsock reset*

test again.


----------



## sweets_792 (Nov 14, 2005)

i downloaded the AVG + firewall after the spyware and virus infection i got on my computer turned the firewall off and i couldn't get into the settings to turn it back on ever since.

the error message states: Due to an unidentified problem, Windows cannot display Windows Firewall settings.

I went to services and i could not find windows firewall in the list. i only had to change network connections to automatic, the rest were there and set to automatic.

i did the last step and the command box came up some words flashed down and then it quickly disappeared before i could read what the words said. does this mean it is fine?

how do i proceed with windows firewall?


----------



## Rollin' Rog (Dec 9, 2000)

You may have a bad SP2 install

Run services.msc again and verify that you do NOT see the "Windows Firewall" service as shown in this first attachment

And run *regedit* and see if you have the "SharedAccess folder in the location indicated in the second attachment.

If present, does it show the firewall enabled?


----------



## sweets_792 (Nov 14, 2005)

i uninstalled my AVG + Firewall cause the free trial ran out. on the uninstall it said it would automatically turn my windows xp firewall back on cause the AVG one wont be there anymore. when it went to do this, it told me it was unable to enable it.

i do not see windows firewall in the list, but when i went to registry editor i saw enable firewall. can i delete stuff in the registry editor i no longer need? like old program folders of stuff i uninstalled?

what is the next step for my firewall?


----------



## Rollin' Rog (Dec 9, 2000)

No, it's best to leave the registry alone unless you are getting specific advice concerning it.

Does the "enable firewall" entry show a data value of 1 or zero? If zero, double click it and change it to 1 and reboot. Does it hold up?

run *eventvwr.msc* and look under the System and Applications logs for firewall related error entries. Double click to read their descriptions. Use the "copy" icon to copy the description to the clipboard and paste here.

>> You really may need to uninstall and reinstall XP SP2 to resolve the firewall issue I'm afraid.

Otherwise I would suggest you install one of the free versions, like Zone Alarm, listed on the Security Help Tools page here:

http://forums.techguy.org/showthread.php?s=&postid=663486


----------



## sweets_792 (Nov 14, 2005)

ok i will do these instructions listed. and report back shortly.

any suggestions about my microsoft word? can i get the missing file somewhere? at least i believe i am missing a file. whenever i go to open a word doc on my computer it prompts to install microsoft office xp. never used to do that before. now i have to open word first, then open the document that way. any suggestions?


----------



## Rollin' Rog (Dec 9, 2000)

What is the missing file, for MS Word? And do you have the Office CD?

If you have the CD, just put that in and see if it can find it.

You may want to see if the folks in the Business Applications forum can give you any advice on that -- be sure to give complete details on the message you get.


----------



## sweets_792 (Nov 14, 2005)

i am not sure what the problem is. a few days after i got my infection of spyware and viruses i was unable to open any word documents without going through word first. it started prompting me to install microsoft office xp. so i dont know if i accidently deleted something needed to open saved documents on the computer or if the spyware or viruses did something. just looking for a solution.


----------



## sweets_792 (Nov 14, 2005)

anyway on the windows firewall subject...

enable firewall has 0x00000001 (1)
________________________________________________

eventvwr.msc:

i am seeing alot of warning symbols and red x's that say error.

most of the warning symbols are next to MsiInstaller. What is this?

error message for one of the MsiInstaller: 
Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'WORDFiles' failed during request for component '{8E46FEFA-D973-6294-B305-E968CEDFFCB9}'
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Is this talking about my Microsoft Word?
__________________________________________________________

error x's were next to alot of AVG7 which i uninstalled this morning and installed the free version without the firewall.

AVG7 error message:
2005-12-11 23:57:16,921 STILES [000320:000280] ERROR 000 AVG7.FW.FwPlugin.FwPlgCommunicator FwPlgCommunicator::WaitOnFwUpProcedure - Registering in kernel failed, revert and go to wait again
___________________________________________________________________

also i am seeing warning messages next to Userenv.

Userenv warning message:
Windows saved user STILES\Ryan registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. 
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________________________________________

Does any of this pertain to my windows firewall?


----------



## Rollin' Rog (Dec 9, 2000)

I'm not sure what's up with the Word problem, but the CLSID in the error message is for the component: Global_Word_Core

This component is mentioned in a somewhat similar error covered here:

http://66.102.7.104/search?q=cache:.../5/10.HTM+Global_Word_Core&hl=en&client=opera

Try following their directions to run:

regsvr32 offfilt.dll

and see what happens.

For the Userenv warning message, try installing:

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

We still haven't solved the firewall problem unfortunately.

Removing and reinstalling XP SP2 is a pretty radical undertaking for a "beginner", and you might see if you can satisfy your firewall needs with ZoneAlarm free version if no other serious problems exist.


----------



## sweets_792 (Nov 14, 2005)

yeah i was wondering about reinstalling my XP SP2. i went to uninstall it one day and saw the message about backing up files and stuff like that so i figured i better not mess with it. other than the firewall and microsoft word, i can't see any huge problem with my computer. all the help here at techguy.com has brought my computer a long way from where it was in the beginning. thank you.

so what do you recommend for anti spyware anti virus and firewall that is free?

thanks for all your help.


----------



## Rollin' Rog (Dec 9, 2000)

I think the free version of ZoneAlarm is probably considered the easiest for most to use.

As for antispyware stuff, I personally don't recommend a lot. I use only the free version of AVG -- but I think the Microsoft Antispyware utility is also well recommended these days.

Protection really revolves around knowing that you cannot let any site install something unless you trust it. Don't open email attachments or even emails which you are not expecting. If anyone else uses your computer, make sure they do so using an account which has limited priveleges, not Administrative rights.


----------



## sweets_792 (Nov 14, 2005)

well everything seemed to be working fine but this morning when i turned on my computer it came up with a blue screen that said something about ipvnmon.sys i think that's what it was. i didnt take the time to read the whole thing, but it was saying something like windows has detected a problem and has shut down. and something about hardware or software. did i install something bad or do i have a virus? what will this do to my computer?


----------



## sweets_792 (Nov 14, 2005)

this is what the message said:

A problem has been detected and windows has been shut down to prevent damage to your computer. 

The problem seems to have been caused by the following file: ipvnmon.sys

PAGE_FAULT_IN_NONPAGED_AREA 

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps: 

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need. 

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.


----------



## sweets_792 (Nov 14, 2005)

i restarted my computer and everything went back to normal, but i am wondering if this will happen again and the steps i should take to fix it. thanks!!


----------



## Rollin' Rog (Dec 9, 2000)

Can you post another HijackThis Scanlog?

I don't know what is running ipvnmon.sys, it appears to be connection monitoring software possibly used by your ISP.

Have you installed or made any recent changes? Did you install ZoneAlarm?


----------



## sweets_792 (Nov 14, 2005)

yes i installed ZoneAlarm yesterday. does this have anything to do with it?

Logfile of HijackThis v1.99.1
Scan saved at 11:51:31 AM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://necasting.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37470.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://mail.mail2world.net/m2w/mail/mail/video_mail/recorder/ACAP.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------



## sweets_792 (Nov 14, 2005)

i was told by someone else to move the file into another folder, so i did. is this ok?


----------



## Rollin' Rog (Dec 9, 2000)

Since it's not a Windows file, that shouldn't be a problem. However it would be nice to know just what was calling it.

Now that you've done that, reboot and then run *eventvwr.msc* and look under the system and applications logs for an error that might associate with the file not being found.

I suspect ZoneAlarm was using it if this is the first time you have seen that error.


----------



## sweets_792 (Nov 14, 2005)

In application log i just got errors for MsiInstaller.

one of the MsiInstaller error messages: is richink.dll the file i am missing for my microsoft word?

Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'WORDFiles', component '{9C1249C6-4DDB-4A48-BC9F-4AF8D1291AE1}' failed. The resource 'C:\Program Files\Microsoft ActiveSync\RICHINK.DLL' does not exist.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
______________________________________________________________

In system log i got errors for service control manager and Tcpip.

Tcpip error message:

TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## sweets_792 (Nov 14, 2005)

also i am unable to run scandisk on my computer. it keeps telling me it cannot complete the scan. something wrong there?


----------



## Rollin' Rog (Dec 9, 2000)

What is the date stamp on this error:

"TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

If it is recent, it might be an indication of a continuing rootkit worm. If it is recent, verify if it is repeating consistently.


>> for the service control manager errors, we need to see more info. Double click or right click and view the properties. Use the copy icon to copy one instance of each unique error here.

I'm uploading richink.dll 

You can unzip it and copy it to

C:\Program Files\Microsoft ActiveSync


----------



## sweets_792 (Nov 14, 2005)

well microsoft activesync is something i downloaded once, then uninstalled cause i thought it might conflict with my hotsync manager i have already with my palm pilot.
what should i do about the richink.dll?

the TCP/IP error i see first appeared on the 19th of november. 25 times it appeared over the month of november. 15 times this month so far. 
____________________________________________________________

This month i also see alot for Dhcp.

Dhcp error message:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0007E9DDDAD6. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

___________________________________________________________________

i also see a few errors for E100B this month.

E100B error message:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down

_____________________________________________________________

one of the error messages for service control manager (this one is from yesterday):

The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
______________________________________________________________

any suggestions?


----------



## Rollin' Rog (Dec 9, 2000)

Is ZoneAlarm indicating any blocked outgoing connection attemps? And is there anything you don't recognized that you have authorized a connection for?

Perhaps you should post another Rootkitrevealer log as well.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

Go ahead and copy the richlink.dll to the ActiveSync folder if it still exists. I seem to have it, though I don't recall ever having installed it; it only has 3 files in it.


----------



## sweets_792 (Nov 14, 2005)

well i dont have the activesync folder so where should i put the file? in programs?


----------



## sweets_792 (Nov 14, 2005)

the firewall seems to be working fine. i dont know too much about them. it blocks connections from the internet to my computer periodically and it always asks to permit programs when i open them for the first time since having the firewall.

i will post a rootkit revealer log shortly.

i havent seen another blue screen since it last happened. does this mean i am ok now? i just wanna be able to open my microsoft word without having an install prompt come up. it comes up every time i save a document too. and copy and paste into word.


----------



## Rollin' Rog (Dec 9, 2000)

You should probably get help in the Business Applications forum for the problem with Word.

I wouldn't be too concerned about 1 blue screen; it's when they persist that you have to deal with them.

Just as a test, perhaps a bit late now, but would you follow method 2 in this article and see if it allows you to enable the Windows firewall:

http://support.microsoft.com/default.aspx?scid=kb;en-us;892199


----------



## sweets_792 (Nov 14, 2005)

how serious should i take this warning for doing method 2?

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.


----------



## Rollin' Rog (Dec 9, 2000)

I wouldn't worry about it at all. What you can do before deleting the key is select File > Export and save it first. That way it could be reinstalled with a click or two. System Restore will do the same thing as well.


----------



## sweets_792 (Nov 14, 2005)

well this didnt allow for me to get back into my windows firewall. should i just stick with ZoneAlarm?

do you still want me to post another rootkit revealer log?


----------



## sweets_792 (Nov 14, 2005)

hello again,

i did a virus scan today with AVG and it came up with 2 files that were associated with my Killbox.

cert32.dll
qz.dll

these two files were infected with Trojan horse backdoor.Generic.ZZU

is there something wrong with my killbox?


----------



## Cookiegal (Aug 27, 2003)

We they located in the C:Submit! folder? These are back-ups of files that were deleted using Killbox. You can delete the folder.


----------



## sweets_792 (Nov 14, 2005)

all they said was they were located in killbox. AVG deleted the files immediately once the scan was done.


----------



## sweets_792 (Nov 14, 2005)

my killbox folder opens up and there is a logs folder and a few files.

cert64
p3
qz
cert32
klogini.dll
qy

the qz and cert32 were the ones infected and AVG said it deleted them but they are still in my killbox folder.

is there something wrong with my killbox?


----------



## sweets_792 (Nov 14, 2005)

and how come there is no uninstall for killbox and it is not located in my Add/Remove programs list?

how do i get rid of it completely if i have to?


----------



## Byteman (Jan 24, 2002)

Hi, Killbox, as well as many of the special small tools that are used for various computer work, are stand alone applications that do not use an installer...so, they do not appear in Add/Remove Programs, they are only extracted to a folder or loose on the desktop for use, then can be simply deleted... as Cookiegal told you above.
Most of the antivirus and antispyware apps do save copies or the actual files in Quarantine. Often, these items are detected by other programs> since they are real copies. There are times where these removal programs make mistakes, and it's good to have backups! They can always be safely deleted. 
Killbox keeps them in the !Submit folder in case someone needs the files to add to one of the detection tools or antivirus programs.
Experts here do sometimes have to ask for them to be uploaded for an exam. If these files somehow are not in a !Submit folder, then I guess something could have happened when you extracted the download, in that case, you could go ahead and delete the entire Killbox folder itself and get a new download of Killbox.


----------



## Rollin' Rog (Dec 9, 2000)

I don't know what the problem with the Windows firewall is so I would just stick with ZoneAlarm if all else is well.

If you are still seeing those tcp/ip errors in the event log, post another rootkitrevealer log


----------



## sweets_792 (Nov 14, 2005)

i saw 3 tcp/ip errors from yesterday. and 3 on the 14th. that is it since the last ones i told you about.

my windows firewall was working perfectly fine until i got infected with viruses and spyware. i guess i am all clean now, but how do i know for sure that i am?

should i post a rootkit revealer log just so you can look it over?


----------



## Rollin' Rog (Dec 9, 2000)

Yes, you should not be getting those tcp/ip errors unless there is something wrong at your ISP level or there is something trying to connect to a non-existent location.


----------



## sweets_792 (Nov 14, 2005)

ok i will post another rootkit revealer log tonight.


----------



## sweets_792 (Nov 14, 2005)

sorry i havent gotten to the rootkit revealer log yet. the holidays have been pretty hectic.

i have a question. why doesnt my scan disk work?


----------

