# about blank se.dll got me



## mactech (Feb 27, 2005)

the se.ddll has got me. 

what does it do that idon't want to know?
i've read some threads (about 10) on various forums, .. but they all end with "i tried that and it came back..."

i have hjt cws & others but don't know what works..
i can get what i want from a 'puter when it works, but i'm not systems savy. however, i'm ready to get busy with "about/blank" if someone has a solution/fix thanks-mac

win-xp


----------



## Flrman1 (Jul 26, 2002)

Hi mactech

Welcome to TSG! 

Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now *Click here* to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program. Click on the *Do a system scan and save a logfile* button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## mactech (Feb 27, 2005)

i've read thru SKYLERZOOK thread above, and it seems very thorough and ...intimidating

i wouldn't know where to start

i also read about a **grrd.gif file somewhere
what shoul i do first

??? mac


----------



## mactech (Feb 27, 2005)

here's the logfile..looks like a bunch of cr#*p in with some things i recognize ---what is all this ??---thanks mac
*************

Logfile of HijackThis v1.99.1
Scan saved at 9:59:41 PM, on 2/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\crack\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk Revit 5.0\Program\crack\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\WINDOWS\system32\ntddetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: http://213.159.117.203/dkprogs/hosts.txt
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {B7ACB3DD-E118-476F-9344-60D885437CA1} - C:\WINDOWS\System32\odhc.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PZDGJMQ] C:\WINDOWS\PZDGJMQ.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [*olesvc] C:\WINDOWS\Driver Cache\olesvc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\system32\ntddetect.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\system32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O18 - Filter: text/html - {B39E5507-7FDD-4B1D-8925-7364C559BF32} - C:\WINDOWS\System32\odhc.dll
O18 - Filter: text/plain - {B39E5507-7FDD-4B1D-8925-7364C559BF32} - C:\WINDOWS\System32\odhc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\crack\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## Flrman1 (Jul 26, 2002)

Copy the contents of the quote box to Notepad. 
Name the file Appinit.bat 
Save as type All Files 
Save on the Desktop.



> Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
> ren windows1.hiv windows.txt


Double click on Appinit.bat 
This will create a file on the desktop named windows.txt 
*Attach the windows.txt file here to your next post please. Don't copy and paste it.*
----------------

Which version of XP are you running? Pro or Home? 
Also which file system? FAT32 or NTFS? Check the properties of the C Drive in my computer to get the file system.

Also *Click here* to download DLLCompare.exe.

Save it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the *Compare* button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the *Make a Log of what was Found* button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.


----------



## jparr111 (Dec 17, 2004)

flrman1 is good...you are Allstate(in good hands)


----------



## mactech (Feb 27, 2005)

here we go.. Appinit.bat -> windows.txt file attached
** win xp "Home" ed. ** NTFS file sys **

**** DLLCompare log follows ***

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,327 items found: 1,327 files, 0 directories.
Total of file sizes: 279,432,003 bytes 266.48 M

Administrator Account = True

--------------------End log---------------------


----------



## mactech (Feb 27, 2005)

all apologies for the duplicate post(s)
i "lost" the first one and thought it went away..
thanks for bearing with me -mac


----------



## mactech (Feb 27, 2005)

not to keep posting..but,
my opera just crashed,(i switched over because IE went dead(AboutBlank only)
Task Manager is also getting weaker and weaker and crashes often (this is all in the last 4 or 5 days) 
98 was juicy but xp has been rock solid for me
why does this happen.?.. are people mean, is microsoft unnecessarily vulnerabe or stagnant or ...is apple or linux better in that regard..?
do they just want my credit card # or what..? what is up 
-mac


----------



## Flrman1 (Jul 26, 2002)

Go here and download Adaware SE. Install the program then in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files. but don't run it.

Also click here to download CWSinstall.exe. CWSinstall.exe file and it will install CWShredder, but don't run it yet either.

Set your folder options to show hidden files like so:

Click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now copy these instructions to notepad and save them to a convenient location like your desktop. You will need them to refer to in safe mode.

Restart into Safe mode.

How to start your computer in safe mode

Do all of the following in safe mode:

Run Hijack This and put a check by all of the following entries then click the "Fix Checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: http://213.159.117.203/dkprogs/hosts.txt

O4 - HKLM\..\Run: [*olesvc] C:\WINDOWS\Driver Cache\olesvc.exe

O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe

O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\system32\ntddetect.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\system32\ntddetect.exe

O18 - Filter: text/html - {B39E5507-7FDD-4B1D-8925-7364C559BF32} - C:\WINDOWS\System32\odhc.dll

O18 - Filter: text/plain - {B39E5507-7FDD-4B1D-8925-7364C559BF32} - C:\WINDOWS\System32\odhc.dll

Now find and delete these files:

C:\WINDOWS\Driver Cache\olesvc.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\system32\ntddetect.exe

Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

*Run CWShredder* Click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

Next run Adaware according to these insrructions:

From main window :Click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next deselect *Search for negligible risk entries*.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Do you know what this is?:

O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL


----------



## Flrman1 (Jul 26, 2002)

Also do this:

Download DelDomains.inf from *here*.

Rightclick DelDomains.inf and choose install.

Reboot and post another log please.


----------



## mactech (Feb 27, 2005)

i know what buzzsaw is..
it's a construction industry site that relates to plotter software that i use (autodesk subsidiary site) ..should be ok, i think

not to keep posting... but my page file is creeping up..up
it went a gig and a half last night..usually only 125 mb or so with just the browser running.


----------



## mactech (Feb 27, 2005)

ok firman,..
did all that....except
***
A) there was no olesvc.exe-> found cvselo.bak - i deleted it..?!
B) there was no systime.exe-> i found systime.txt - I left it alone ? !
c) there was no winint\temp folder but locals..\temp is pretty well empty now(%temp%)
cwshred + adaware then restart
then del domains reboot
posting new hjt log, as follows: 
***
Logfile of HijackThis v1.97.7
Scan saved at 4:23:40 AM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\crack\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk Revit 5.0\Program\crack\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Opera7\opera.exe
C:\unzipped\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {B7ACB3DD-E118-476F-9344-60D885437CA1} - C:\WINDOWS\System32\odhc.dll
O2 - BHO: (no name) - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PZDGJMQ] C:\WINDOWS\PZDGJMQ.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\overnet.exe -t
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37797.8453935185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab

(btw: It's getting worse-> task mgr is now useless..& win explorer now displays the se.dll error dialog i used to get before i lost IE and task mgr)


----------



## Flrman1 (Jul 26, 2002)

*Click here* to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

*Click here* to download DLLCompare.exe.

Save it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the *Compare* button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the *Make a Log of what was Found* button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.


----------



## mactech (Feb 27, 2005)

i,m back
***
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,327 items found: 1,327 files, 0 directories.
Total of file sizes: 279,432,003 bytes 266.48 M

Administrator Account = True

--------------------End log---------------------


----------



## Flrman1 (Jul 26, 2002)

Do this too please:


flrman1 said:


> *Click here* to download Find It NT-2K-XP.zip.
> 
> Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.


----------



## mactech (Feb 27, 2005)

Here's the "find it" log (thanks so far)
i notice somethings on here i don't use very much anymore...winfax,daemon,overnet,nero,ect are they just running for no reason or what?
**** **** ****
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC94-BB10

Directory of C:\WINDOWS\System32

02/26/2005 04:22 PM dllcache
08/11/2003 02:32 PM Microsoft
0 File(s) 0 bytes
2 Dir(s) 1,414,598,656 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC94-BB10

Directory of C:\WINDOWS\System32

02/26/2005 04:22 PM dllcache
0 File(s) 0 bytes
1 Dir(s) 1,414,598,656 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is FC94-BB10

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is FC94-BB10

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\DC_KDC265.apl: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"WFXSwtch"="C:\\PROGRA~1\\WinFax\\WFXSWTCH.exe"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\INSTAN~1.EXE /h"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"
"OneTouch Monitor"="C:\\Program Files\\Visioneer OneTouch\\OneTouchMon.exe"
"PZDGJMQ"="C:\\WINDOWS\\PZDGJMQ.exe"
"Swapper"="C:\\Program Files\\Revolutionary Stuff\\Swapper.NET\\Swapper.exe /m"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 -noicon"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"Mouse Suite 98 Daemon"="PELMICED.EXE"
"Overnet"="C:\\Program Files\\Overnet\\overnet.exe -t"
"sp"="rundll32 C:\\DOCUME~1\\mac\\LOCALS~1\\Temp\\se.dll,DllInstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




----------



## mactech (Feb 27, 2005)

Page File Is Still Creeping Up 
Task Mgr Still Crashing
Ie Won't Load
If I Try To Load Ie, It Crashes Opera
Excel(office) Wont Load
Otherwise, All Is Well Here -mac


----------



## Mosaic1 (Aug 17, 2001)

May we see a startuplist please. I saw one at another forum where a file was reinstalling the hijack using and entry we would see there.

In Hijackthis press the Config Button
Click Misc Tools
*Check both boxes under the Generate StartupList log* and then click the generate startuplist log button.

Paste the contents into your next reply here.


----------



## Mosaic1 (Aug 17, 2001)

Go to this link, upload this file and have it scanned please.
C:\WINDOWS\PZDGJMQ.exe
http://virusscan.jotti.org/
Post the results.


----------



## Mosaic1 (Aug 17, 2001)

Download this zip:
http://forums.techguy.org/attachment.php?attachmentid=50682

Create a folder on the desktop. Name it *get bhos*. Extract the contents of the zip to that folder.

This contains a simple batch file named:
*Get Bho Hive.bat*

Double click on Get Bho Hive.bat

It will produce a file named Bho.txt in that same folder. Don't copy and paste. This is a Binary file and will not only look odd, but also it will cause a huge scroll on this page making it hard to read.

Attach bho.txt into your next reply here.


----------



## Flrman1 (Jul 26, 2002)

Also I just noticed that the last log you posted was from HJT version 1.97. You need to get rid of the old one and only use 1.99.1.


----------



## mactech (Feb 27, 2005)

Mac's Startup List Attached

And Also Scan Report

***thanks****


----------



## mactech (Feb 27, 2005)

Mac's Get Bho Attached
***
Thanks


----------



## Guest (Feb 28, 2005)

Hi CarlBarker, and welcome to TSG.  

You need to make your own thread so that the Tech's can assist you quicker.


----------



## mactech (Feb 27, 2005)

TO CARL BARKER:
I'm new here Carl, and I just do as I'm told. You gotta trust somebody. So I'm learning what I can about my system.
-BTW- you're welcome to follow along here, but if you"re having problems, they might want you to get your own thread so it's less confusing. They seem quite willing to help. If you have the AboutBlank bug, you have my sympathies. Eveyones systm seems to be a little bit different and I guess the various solutions help increase the overall knowledge base.
they're putting a lot of effort into my case, for no charge,so it seems a donation will be in order 
***
Mac


----------



## mactech (Feb 27, 2005)

a few random off topics:

*my page file seems to have stabalized (still a bit high,Ithink)
*task manager is stable
* if i were to open IE, i,m sure tsk mgr would crash and so would opera
*i had forgotten how good opera is (i'm just getting started w/ firefox)
* i'm starting not to miss IE...this may have been blesing in that regard
*ithoght i was running Norton, but since installing SP2. security center informs me i have no anti-virus.---what shoul i be running as a preventative?
*is aboutblank a virus..?
-mac


----------



## mactech (Feb 27, 2005)

spoke too soon...
opera crashed as i posted that last one


----------



## Mosaic1 (Aug 17, 2001)

Hi mactech,

I would like to have a look at this registry key.

Go to Start >Run and type regedit. Press enter.

Navigate to:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*

Right click on Image File Execution Options and select export from the menu.

Name the file and then zip it and attach to your next reply too please.


----------



## Mosaic1 (Aug 17, 2001)

I had asked you to scan a file for a virus. You scanned your startuplist report.

This is the file to scan:
*C:\WINDOWS\PZDGJMQ.exe*
http://virusscan.jotti.org/
Post the results please.


----------



## mactech (Feb 27, 2005)

mosaic
not finding this file** C:\WINDOWS\PZDGJMQ.exe **
**
reg key zip attached
thanx - mac


----------



## mactech (Feb 27, 2005)

heres the reg key attachment


----------



## Mosaic1 (Aug 17, 2001)

While I have a look at your registry key, try this:
Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select 
Show hidden files and folders 
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders


See if you an find that file now.

But first please post a new Hijackthis log using HT version1.99.1 as you did the first time you posted. I am about to leave for a few hours, but would like to take a look first.


----------



## Mosaic1 (Aug 17, 2001)

I am not seeing anything extra or unusual anywhere. But you do have a some problems which will show in a new Hijackthis log. Post that and then we'll see how it looks.


----------



## mactech (Feb 27, 2005)

mosaic...
file did not show up ... C:\WINDOWS\PZDGJMQ.exe
***
newhjt log
***
Logfile of HijackThis v1.99.1
Scan saved at 2:01:15 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk Revit 5.0\Program\crack\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\ACAD2000\acad.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {B7ACB3DD-E118-476F-9344-60D885437CA1} - C:\WINDOWS\System32\odhc.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PZDGJMQ] C:\WINDOWS\PZDGJMQ.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\overnet.exe -t
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O18 - Filter: text/html - {D2A889A8-512E-4E44-BC76-F86336A476F1} - C:\WINDOWS\System32\odhc.dll
O18 - Filter: text/plain - {D2A889A8-512E-4E44-BC76-F86336A476F1} - C:\WINDOWS\System32\odhc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

ps-
have not rebooted since last instruction to do so in this thread
have not used IE recently..if that matters
-mac


----------



## Mosaic1 (Aug 17, 2001)

I'll post in a few minutes and then I will be leaving.

I see you are file sharing. emule and overnet. This puts you at risk for any number of worms passed through the network. I stronly suggest you do not file share.


----------



## Mosaic1 (Aug 17, 2001)

Download CWShredder from this link:
http://www.intermute.com/spysubtract/cwshredder_download.html

Sign off and close all Internet Related Programs. Run Hijackthis.

Close all Windows Explorer Windows .

Select these items and press the fix checked button:
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {B7ACB3DD-E118-476F-9344-60D885437CA1} - C:\WINDOWS\System32\odhc.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O4 - HKLM\..\Run: [PZDGJMQ] C:\WINDOWS\PZDGJMQ.exe
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\overnet.exe -t
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\mac\LOCALS~1\Temp\se.dll,DllInstall
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Filter: text/html - {D2A889A8-512E-4E44-BC76-F86336A476F1} - C:\WINDOWS\System32\odhc.dll
O18 - Filter: text/plain - {D2A889A8-512E-4E44-BC76-F86336A476F1} - C:\WINDOWS\System32\odhc.dll
*

Install and run CWShredder. Press the fix button to clean.

Restart the computer.

Empty your Temp folder and Temporary internet files.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp 
http://www.pandasoftware.com/activescan/

Allow them to clean

Restart.

Run hijackthis again and post the new log along with how the AV scans went.


----------



## mactech (Feb 27, 2005)

Error on downloading Panda ActiveScan
An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try again
***
tried it twice
***
se.dll is not showing up in temp folder yet
-no other signs of reinfection yet
-everything is working well asfar as i can tell
-have not rebooted since last instruction
-trying to make sure antivus ect is in place before i use IE again
****
will paste message from service provider next that may have some relation to about-blank


----------



## Mosaic1 (Aug 17, 2001)

You need activeX to run online scans. If you are not running IE, go there using IE and see if that is successful.


----------



## mactech (Feb 27, 2005)

IE carshed during online scan - after dloading activeX
crashed during trend micro scan ---??


----------



## Mosaic1 (Aug 17, 2001)

Ouch.

While I am around, would you post a new hijackthis log please? 

We need to get you restarted too. If you still cannot run a successful online scan, restart the computer. Run hijackthis and have a look to see if any new entries are there. 

Try the scans again. Let me know how you do.


----------



## mactech (Feb 27, 2005)

this email was recieved on 02/28/05
****
is this what AboutBlank is up to...?
****
i have informed them of the problems i've been having
****
Dear Valued Road Runner User:

Road Runner has received reports of an unsolicited e-mail that was issued by one of your computers. It appears that this was not done intentionally, but rather was the result of a virus or Trojan horse installing an Open Proxy Server on your computer. Open Proxies are programs that can be used to enable access to use your computer for potentially illegal purposes. As we do not know what proxy server or Trojan horse you have installed on your computer, we have no way of giving specific information. However, those who have followed all the instructions in this letter have been able to completely secure their computers from outside use.

For more information on open proxies, please visit

http://www.nc.rr.com/security/

1) Keep your Windows installation patched from http://windowsupdate.microsoft.com
2) Disable file and print sharing in Control Panel/Network 
3) Utilize a current anti-virus program and update it frequently (examples at http://www.nc.rr.com/security/virusproducts.html). 
4) Use a personal firewall (examples at: http://www.nc.rr.com/security/firewallproducts.html)

*** Road Runner offers an anti-virus and firewall program free for one year to any current residential subscriber. (available at http://www.rr.com) ***

5) Use a Trojan cleaner to detect and close any Trojans or backdoors left open (examples at http://www.nc.rr.com/security/trojanproducts.html).

Road Runner prohibits unsolicited bulk email that threatens to compromise the system's capacity or operations. In addition, Road Runner prohibits transmission of any email or message that contains commercial advertising or any solicitation with respect to products or services.

It appears there are messages transmitted via your computer's IP address which violate this policy. The purpose of this message is to notify you of these e-mails. Please take the time to do a complete virus scan on your system. Some viruses may be undetectable by your anti-virus software if your virus definitions are not current. The existence of these viruses on your PC, does not relieve you of your responsibility.

Please contact us directly at the email address below within 24 hours to let us know you have read and understood this email, and if you have any questions. While we value you as a customer and will work with you to keep your service active, failure to comply may result in suspension of your Road Runner account in order to protect all our users.

These complaints are received by Road Runner from other Internet Service Providers and their subscribers. If possible, the message is pasted below for your convenience.

If you feel you have received this email in error, please respond and let us know. We will be happy to further investigate the matter.

Thank You,

Abuse Department

Time Warner Cable High Speed Data

Eastern Carolina Division

[email protected]

*******************************************************************************

Road Runner does not recommend nor endorse any specific product.
*******************************************************************************


----------



## Mosaic1 (Aug 17, 2001)

That's terrible. We'll do our best.


----------



## mactech (Feb 27, 2005)

i don't know how to turn off "virus scanning in the background"
-i'm afraid i do'nt have anti-virus protection.
-MS Windows Security Center tells me i don't have anti-virus
-i confess i had taken it for granted... i thought i had norton at one time,... but i need to re-group. in this regard, i'm open to suggestion.
are tools offered by tw/roadrunner to be taken seriously.?
what happens if one runs multiple tools.., is there a "preferred solution"..?


----------



## Mosaic1 (Aug 17, 2001)

First see about a Hijackthis log for me now.

then restart the computer.

Go right back and try ths free online scans.

RR is listing programs for you to try.

Zone Alarm offers a free firewall and AVG offers free Anti Virus.

http://www.grisoft.com/us/us_dwnl_free.php

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

I use AVG myself.

Never run more than one AV in the background or Firewall. They can conflict and cause performance problems.

Remember, we tried to clean yesterday. The email was sent yesterday. Let's finish up, get you some protections and then you should absolutely respond to Road Runner. Ask for help and tell them what you have been doing. You can point them to this thread too.


----------



## mactech (Feb 27, 2005)

hjtlog as of currentmoment
****
Logfile of HijackThis v1.99.1
Scan saved at 8:20:49 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\crack\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

to take my meaning,..i was asking an opinion of the products rr was naming, as compared to others that techsupport guys may be aware of.
what about "daily updates"
does AVG handle this or prompt for updates?
i had thoght one must only install semantic and relax. i'm beginning to see there is more to it, than i knew.
i'm totally spooked to run IE.....
and i'm afraid to email anyone that i truly care for.


----------



## Mosaic1 (Aug 17, 2001)

This one is back:
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll

Have a look at the file.

C:\WINDOWS\system32\*iehelper.dll*

Right click on it and choose properties. Click the version tab if there is one. Let me know who the Manufacturer is and the original file name.

Go to this free online scanner, upload the file and have it scanned. Let me know what was found.

http://virusscan.jotti.org/


----------



## Mosaic1 (Aug 17, 2001)

AVG is excellent about updates. Emailing they are talking about happened behind your back.


----------



## mactech (Feb 27, 2005)

i'll try avg..not that ur making recommendations, i understand
***
i (they) know the spamming was behind my back...but so many things are..(behind our backs,i mean)
***
follows is my (first)(yesterday) response to RR.
***
ABUSE DEP'T

Thank you for the notification about emails going out from my IP address.

For about a week I have been having problems with a hijack called "About Blank" that seems to run from trojan programs related to "se.dll".

I have been working with various support forums and think I have almost cleared it up.

It is a very sticky widget, and a variety of cleaner utilities were used repeatedly, as the "se.dll" is quite effective at reinstalling itself and resists elimination. It can however be cleaned out.

I send this notice for your information, as i have noticed a great many posts from many other people with the same problem. I did not know what the pupose of the hijack was until I got your email. Apparently it has been using my connection to spread itself as well as to send bulk spam.

I have upgraded Microsoft patches, and anti-virus and taken numerous other steps as I have become more educated on this sort of problem.

If you wish, I can send a digest of what I've learned on cleaning the "AboutBlank" trojan, if it will be of use. If my problems are mulitiplied by many others, I can imagine tremendous banwidth losses, cumulatively.

The first symptoms are a hijack of the home page to "AboutBlank" search home page, then a barrage of popups, then a loss of Internet Explorer funtion and problems with stability of Windows Explorer, as well a noticible memory leak(probably due to mass spamming).

thank you for the notice, and let me know if I may be of assistance.
mac


----------



## mactech (Feb 27, 2005)

i re-booted per request, delted cookies, and checked temp dir.
***3 new temp entries ***

msi30f54.log
tmvainfo.xml
wst.txt
***
whatever they are


----------



## Mosaic1 (Aug 17, 2001)

Temp always adds. ther are programs which when running, use the temp folder.

Let's get a new Hijackthis log.

Then do someting about those scans. Try the online scans first.

Then install some Anti Virus and a Firewall.

Did you read my other post too? This one:
http://forums.techguy.org/showthread.php?p=2404817

Please remember that while you are typing, often I am too. When you get backafter posting, go up to the last post and be sure you do not miss anything.


----------



## mactech (Feb 27, 2005)

AVG seems pretty slick...on dowload, windows security ctr was insistent that avg was not updated,as i hit the update button,wsc went to it's corner.
***
email scan set---auto update set--auto c-drive scan set
***
did a cdrive scan, and it's a nasty cesspool.
eleven infected files including 1 virus and you know who..
AVG reported se.dll in temp folder, but i was just there and couldn't see it...? (folder options->wide open)
-anyway here's the AVG report(all 11 deleted)
however vault shows 11 new inmates...?
***
C:\125016.exe Deleted
C:\new.exe Deleted
C:\Documents and Settings\mac\My Documents\Hijack This folder\backups\backup-20050228-162843-814.dll Deleted
C:\Program Files\Internet Explorer\ynsubwyw.exe Deleted
C:\WINDOWS\cerbmod.dll Deleted
C:\WINDOWS\mstasks3.exe Deleted
C:\WINDOWS\toolbar.exe Deleted
C:\WINDOWS\system32\cmd32.exe Deleted
C:\WINDOWS\system32\odhc.dll Deleted
C:\WINDOWS\system32\paydial.exe Deleted
C:\WINDOWS\Temp\se.dll Deleted
***
other than se.dll, does any one recognize any of these..?


----------



## Mosaic1 (Aug 17, 2001)

They are all nasties. I am in the middle of something right now, but do a google on eachand you'll see. A lot fo times things aren't loaded. Post a new hijackthis log please. I want to see if you are running the infection or not.

I have also asked you to do this. Please do it so I can try to assess your situation:
This one is back:
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll

Have a look at the file.

C:\WINDOWS\system32\iehelper.dll

Right click on it and choose properties. Click the version tab if there is one. Let me know who the Manufacturer is and the original file name.

Go to this free online scanner, upload the file and have it scanned. Let me know what was found.

http://virusscan.jotti.org/


----------



## mactech (Feb 27, 2005)

ok, i guess we're over-typing one another..
let me go back and make sure i'm caught up.
it's seldom in life, that service is so good it precedes the request!

thanks-mac


----------



## mactech (Feb 27, 2005)

iehelper.dll 
****
properties:
ver. 1.0.0.1 created feb, 22,2005 no other information(mfg. ect) -orig.file name iehelper.dll
****
virusscan.jotti report here\/ 
****
File: 
iehelper.dll 
Status: 
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) 
Packers detected: 
PECOMPACT

AntiVir 
No viruses found (0.76 seconds taken)
Avast 
No viruses found (3.06 seconds taken)
AVG Antivirus 
No viruses found (1.42 seconds taken)
BitDefender 
No viruses found (1.01 seconds taken)
ClamAV 
No viruses found (1.18 seconds taken)
Dr.Web 
No viruses found (1.75 seconds taken)
F-Prot Antivirus 
No viruses found (1.23 seconds taken)
Fortinet 
No viruses found (0.82 seconds taken)
Kaspersky Anti-Virus 
No viruses found (2.03 seconds taken)
mks_vir 
No viruses found (0.45 seconds taken)
NOD32 
No viruses found (0.93 seconds taken)
Norman Virus Control 
No viruses found (0.33 seconds taken)

Statistics 
Last piece of malware found was Dropper.Small.13.O in wiz.exe, detected by:

Scanner 
Malware name 
Time taken 
AntiVir 
X 
1.13 seconds 
Avast 
X 
3.05 seconds 
AVG Antivirus 
Dropper.Small.13.O 
0.82 seconds 
BitDefender 
BehavesLike:Win32.IRC-Backdoor 
3.05 seconds 
ClamAV 
X 
1.89 seconds 
Dr.Web 
Trojan.MulDrop.1697 
1.69 seconds 
F-Prot Antivirus 
X 
0.31 seconds 
Fortinet 
X 
1.20 seconds 
Kaspersky Anti-Virus 
Trojan-Dropper.Win32.Small.to 
2.75 seconds 
mks_vir 
X 
0.60 seconds 
NOD32 
X 
1.31 seconds 
Norman Virus Control 
Sandbox: W32/Backdoor 
14.52 seco


----------



## mactech (Feb 27, 2005)

new hjt log
i see the iehelper, does that mean its running?
****
Logfile of HijackThis v1.99.1
Scan saved at 11:02:47 AM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ACAD2000\acad.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

how is zone alarm vis-a-vis windows firewall(which i think i have running)?


----------



## mactech (Feb 27, 2005)

just when u think it's safe to go back in the water...

i just went back and got the links for the panda online scan, opened IE to do the scan,...and...boom..ABOUTBLANK

(looks like plan b..?)


----------



## Byteman (Jan 24, 2002)

Hi, Just for info. Hi Mosaic1- The trial version of Kaspersky antivirus is supposed to remove this infection. not the about:blank, just the popup part I would say.

That is what I have read in some other forums...have not tried the Kaspersky myself.

Kaspersky is not the easiest program to set up, but I found a tutorial with step by steps and screenshots:

http://forums.subratam.org/index.php?showtopic=3466

The download for Kas if you want to try it:

http://www.kaspersky.com/downloads

I have some personal experience with the se.dll infection>

You can heal, delete etc to your heart's content, with se.dll and related> unless the Registry items are taken out, it will just reappear. I cleaned one ME machine up the other night, and did the standard about:blank removal along with the Registry items, and it was gone and has stayed gone...

On the ME machine, I had a HOSFS.SAM and suchost.exe found by searching in the Registry for HOSFS.SAM.

Here is a thread about se.dll removal, with others who have had the other entries and what I had:

http://forums.techguy.org/t332999.html

The only thing I did was open regedit and use EDIT>Find> typed in HOSFS.SAM and at the location shown, it had suchost.exe together with HOSFS.SAM, in Safe Mode, when I removed that, immediately a hundred (not kidding) IE windows started popping up...see my thread.
It has still not come back by the way. 
That may be because I am used to hunting down through system folders, to get rid of the bits and pieces, I don't know...I kept scanning over and over, and as I said, did the whole about:blank removal with AboutBuster twice, before I found out about the HOSFS etc...it always came back, until I did the regedits...

EDIT> OK, now I see that maybe it has been cleared up, from your new reply...let's hope so!

If not, perhaps Mo or yourself can use some of the stuff I posted...


----------



## mactech (Feb 27, 2005)

ok-
ideleted the old IE shortcuts and reset google as homepage,
and it seems to be ok-
clik shortcut -> get google (not about blank)
-whew..!


----------



## mactech (Feb 27, 2005)

running panda scan now.....
-post back later w/ results


----------



## mactech (Feb 27, 2005)

on another point...
i'm not getting my emails.. and if i do they are several hours late
-is there a security setting that will allow dis allow various attachment types..?
perhaps my isp is scrreening/filtering do to my recent spamming probs..?


----------



## mactech (Feb 27, 2005)

****
"The only thing I did was open regedit and use EDIT>Find> typed in HOSFS.SAM and at the location shown, it had suchost.exe together with HOSFS.SAM, in Safe Mode, when I removed that, immediately a hundred (not kidding) IE windows started popping up...It has still not come back.."(from byteman)
****
..guess i'll try this next... if we haven't done this already..?


----------



## mactech (Feb 27, 2005)

results of panda active scan
14 infected files.?
****
Incident Status Location 

Adware:Adware/Ucmore No disinfected Windows Registry 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe 
Adware:Adware/SaveNow No disinfected Windows Registry 
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared 
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\IEHelper.dll 
Adware:Adware/BroadcastPC No disinfected C:\Program Files\BCPC 
Adware:Adware/EffectiveBrandToolbarNo disinfected Windows Registry 
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\ieatgpc.inf 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_94.exe 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_20.exe 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe 
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\ServicePackFiles\vssutil.exe 
Virus:Trj/Agent.FW Disinfected C:\WINDOWS\system32\ntddetect.exe


----------



## Mosaic1 (Aug 17, 2001)

Hi Byteman,

I hope we are about finished cleaning this one up. Although AVG finding it back in Temp again is of concern. Maybe deleting this BHO will help.

Mo

----
*mactech*

May I have a copy of this file please?

C:\WINDOWS\system32\iehelper.dll

If you would go over to this forum and sign up.
http://www.thespykiller.co.uk/forum/index.php?board=1.0

Upload the file. Add a link and a brief explanation. Thanks. The filename is familiar, but if not detected, it looks like the AV's need to see it.

------------

Run Hijackthis.

Sign off and close all Internet Explorer and windows explorer windows.

Fix these two items:

O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Empty your temp folder again.
Restart and post a new Hijackthis log.


----------



## Mosaic1 (Aug 17, 2001)

Just saw your Panda scan results. Go back and search for those files to see if they are now gone. I see now that it did recognize the dll I asked you to send. Do the removal and then check for all the rest of the files on that list. We'll deal with it if they are still there. 

Remember some are uninstalls. They are not looking to be active right now. But the BHO is and needs to be cleaned.


----------



## Mosaic1 (Aug 17, 2001)

I see you have something hiding in Downloaded Program files. You won't be able to see that as things stand now. 

I need a complete list of the contents which we can get using a batch file.

Download the zip attachment and extract it to its own folder.

Double click on DPF.bat to run it.

It will open a text file named DPF.txt when it finishes.

Copy and paste the contents of that text file please. 
(There's an alternate method of looking at the Folder. This is faster for us now. Later, if we need to delete something, I'll show you how to do that.)


----------



## mactech (Feb 27, 2005)

ran hjt
shut down both explorers
fixed iehelper and extra button
delete temp
restart
hjt again
iehelper came back
no extra button
fix iehelper
delete tempagain
restarthjt agin(3rd time)
still iehelper
posting most recent hjt log
****
Logfile of HijackThis v1.99.1
Scan saved at 6:09:38 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\PELMICED.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

-mac


----------



## mactech (Feb 27, 2005)

mosaic
didn't quite get your meaning in your "panda scan post" above.....
***
.."search for the files", i understand..i think,.. if u mean from the panda results..
or did u mean the reg-search that byteman was speaking of...?
***
.."do the removal" i don't understand..
***
... i don't see a bho in the panda results above, unless u meant in the hjtlog...?
***
should i go ahead and do the dpf.bat?
***
i uploaded the "iehelper.dll" that u asked for.


----------



## Byteman (Jan 24, 2002)

Hiya, Yes, she did mean for you to look on the hard drive for the files found by Panda activescan and delete them. You will need the settings made so you can see hidden/system and all files and extensions:



flrman1 said:


> Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
> Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
> 
> Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
> Click "Apply" then "OK"


Yes, you should also run the DPF and post the contents it shows you. One thing though> see if NewDotnet or similar is in your Control Panel>Add/Remove Programs and uninstall it if found. It can be a problem but we can fix it.

Running the NDNuninstall4_94.exe and the other similar files may help uninstall New.Net for you. Then, delete them. I also want you to get this download, just to have handy, DO NOT run it on your own, Please!!

It is for any unexpected results from removing New.Net, we see it often as it can break your Internet connection...the download can fix it, but you will need some help with that, it depends on what shows in your next HJT log after doing what Mosaic1 has posted, OK?

http://www.majorgeeks.com/download4180.html

Just download it to have handy...you might not even need it.


----------



## mactech (Feb 27, 2005)

add/remove
shows nothing like new.net
don't believe i seen that yet


----------



## mactech (Feb 27, 2005)

manual search for panda scan files result(*-means it was in the registry and i didn't fool with it)
******

Incident Status Location 



Adware:Adware/Ucmore No disinfected Windows Registry * 


Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe not found 


Adware:Adware/SaveNow No disinfected Windows Registry * 
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared deleted 
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\IEHelper.dll access denied/in use 


Adware:Adware/BroadcastPC No disinfected C:\Program Files\BCPC not found 
Adware:Adware/EffectiveBrandToolbar No disinfected Windows Registry * 
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\ieatgpc.inf not found 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe deleted 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_94.exe deleted 
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_20.exe deleted  
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe deleted 
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\ServicePackFiles\vssutil.exe deleted 
Virus:Trj/Agent.FW Disinfected C:\WINDOWS\system32\ntddetect.exe not found
(ntdetect.dat-found-deleted)

*****
btw.."avg resident shield" pop-up showed "detected virus" as i was deleting files, somewhere toward the end of this list... i'm not sure..and it went away. i could find no report, and didn't know what make of it...?

avg quaratine shows 11 files,..where do they live anyway.?


----------



## mactech (Feb 27, 2005)

dpf.bat log as follows:
*************
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.2

12/05/2004 04:34 PM .
12/05/2004 04:34 PM ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.3

12/05/2004 04:34 PM .
12/05/2004 04:34 PM ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.4

12/05/2004 04:34 PM .
12/05/2004 04:34 PM ..
02/18/2004 03:40 PM 223 SysUpd.inf
1 File(s) 223 bytes

Directory of C:\WINDOWS\Downloaded Program Files\WebEx

12/04/2003 05:21 PM .
12/04/2003 05:21 PM ..
12/04/2003 05:21 PM 326
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\WebEx\326

12/04/2003 05:21 PM .
12/04/2003 05:21 PM ..
12/04/2003 05:21 PM 133,632 atas32.dll
12/04/2003 05:21 PM 181,760 atasctrl.dll
12/04/2003 05:21 PM 181,760 ataudio.dll
12/04/2003 05:21 PM 30,208 atauthor.exe
12/04/2003 05:21 PM 13,312 atinet.dll
12/04/2003 05:21 PM 81,408 atjpeg60.dll
12/04/2003 05:21 PM 6,656 atkbctl.dll
12/04/2003 05:21 PM 52,736 atnetext.dll
12/04/2003 05:21 PM 23,552 atpack.dll
12/04/2003 05:21 PM 26,112 atrcp.dll
12/04/2003 05:21 PM 180,736 atrecply.dll
12/04/2003 05:21 PM 599,040 atres.dll
12/04/2003 05:21 PM 338,944 atrpui.dll
12/04/2003 05:21 PM 12,288 atstmget.dll
12/04/2003 05:21 PM 40,612 audio.gsm
15 File(s) 1,902,756 bytes

Total Files Listed:
76 File(s) 12,963,302 bytes
20 Dir(s) 1,063,243,776 bytes free

****
just peeking..in downloaded progam files, i see something called "HouseCall Control" on 2-17-05 (3:14am) ?
which is about when all of this started...?!
"ActiveScan" on 02-08-05 (but if that's panda the date seems wrong...?)
and a few other earlier dates


----------



## mactech (Feb 27, 2005)

awaiting further instructions.....
...going for some dinner, now..
***
thanks, all


----------



## Mosaic1 (Aug 17, 2001)

Ok Isn't this just too much fun! 
I can't remember if you have the Killbox. So here it is again, Apologies if this is a repeat.
Down the Killbox to your desktop here:

http://www.downloads.subratam.org/KillBox.exe

Go to start>Run
Copy and paste in this command and then press enter.

regsvr32 /u C:\WINDOWS\system32\iehelper.dll

Run Killbox.exe by double clicking on it.

Select Delete on Reboot.
Select End Explorer Shell while deleting file.

Paste this path into the Full Path of File to Delete box:
*C:\WINDOWS\system32\iehelper.dll*

Click the red icon with the white X at the upper right. Say yes when prompted to restart.

Once back in Windows go to start >Run and type hijackthis.
Press enter
Scan with Hijackthis again and see if the file is missing. Fix the entry. Check again to see if it is clean.

Post a new Hijackthis log.


----------



## mactech (Feb 27, 2005)

too much, by half..


----------



## mactech (Feb 27, 2005)

unregister server.....iehelper succeded


----------



## mactech (Feb 27, 2005)

2nd hjt log..after iehelper fixed..after reboot...after killbox
****
Logfile of HijackThis v1.99.1
Scan saved at 10:20:44 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\hijackthis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

which is to say iehelper was still there after killbox and reboot.

after first "fix" after reboot, it was not there...and this log is what u see...Above /\ , i mean.

maybe i shouldn't try to explain again..i'm making less sense as i go.


----------



## Mosaic1 (Aug 17, 2001)

Post the latest log please. Somehow you are being reinfected. I may have to infect myself to look at it. I am burned out for today though. These things are just getting worse and worse.

Post a Startuplist too:
In Hijackthis press the Config Button
Click Misc Tools
*Check both boxes under the Generate StartupList log* and then click the generate startuplist log button.

Tomorrow I'll have other keys to look at too.


----------



## mactech (Feb 27, 2005)

scheduled overnite AVGscan results = no virus found
-however AVG dialog said "scan finished" but was locked-up(hourglass)-x'd out ->program not responding dialog..?
anyway her is this morning's hjt log(no restart(or IE use) since previous hjt log above../\ - (all clear on the eastern front?)
*****
Logfile of HijackThis v1.99.1
Scan saved at 9:11:01 AM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

here' the hjt startup log...
-what a bunch of stuff..!!
*****
(toolong to paste-will attach)


----------



## mactech (Feb 27, 2005)

i have always wanted to pare down my start-up overhead. is that a good idea..?
i found this sit w/ instructions:
http://euchre.delta-knight.co.uk/msconfig.shtml


----------



## mactech (Feb 27, 2005)

as noted above avg scheduled(overnite)scan completed but was not responding when i came to my machine this morning
****
also later on the "automatic (scheduled) update" failed to make connection, and also stopped responding...so i didn't get todays update...

-curiouser...?


----------



## mactech (Feb 27, 2005)

i think i got my updates- but it took a few tries- (connection timeouts)


----------



## Mosaic1 (Aug 17, 2001)

AVG is often very busy and there are these problems. 

I see nothing there again. Try a restart into Safe Mode and run hijackthis.

See if there are any new entries, especially anything in Runonce. Save the safe mode log named as Safe Mode log and restart.

Run hijackthis and post the new log.
Paring down the startups is fine. Be sure you do your research first.


----------



## mactech (Feb 27, 2005)

ididnt understand..."especially anything in Runonce"
safe mode log, here:
****
Logfile of HijackThis v1.99.1
Scan saved at 5:14:25 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [rfv] C:\WINDOWS\x~v\url_mon32.exe arg1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

normal mode restart hjt log here:
****
Logfile of HijackThis v1.99.1
Scan saved at 5:23:11 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program

Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Citrix Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024540000} - http://www.co.dare.nc.us/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -

http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://timberlineseminars.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} -

C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit

5.0\Program\lmgrd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## Mosaic1 (Aug 17, 2001)

This is back again:
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll

Go ahead and fix it.

But first have a look for this folder:

C:\WINDOWS\x~v\

Can you zip that and upload the zip please? Then delete the entire folder if it allows it.

Did you edit that Hijackthis log? It is hard to read. Please leave the log as is and do a regular copy and paste next time.

Ok. Here's the thing. It is being reinstalled through a key not present until shutdown. And when you boot to safe mode, as luck would have it, that key is not executing.

In this case it was:
O4 - HKCU\..\Run: [rfv] C:\WINDOWS\x~v\url_mon32.exe arg1

That was new.



> See if there are any new entries, especially anything in Runonce


They often write a runonce entry. Here it is in run.
*O4 - HKCU\..\Run: *

Runonce would look like:
*O4 - HKCU\..\Runonce: *

The HKCU could be HKLM

They may add to global startup. You have to keep a copy of the current regular mode log and compare it to the one you'll see in safe mode and delete anything new. Track down the files and take care of them.

Restart into Safe Mode every time and clean up the log until we know you are clean.

All I can tell you is that you need to clean up again. Then restart into Safe mode and run Hijackthis. Look at that log closely and remove anything new.You really have to use your own eyes. I can't help. Once you restart into regular Windows mode, the entry will execute and reinfect you.

Delete again if you find the folder:
C:\WINDOWS\x~v\

Restart and post a new log.


----------



## mactech (Feb 27, 2005)

are you trying to tell me i have to think for myself...sheesh,..
you don't expect much do ya..? i guess this means nobody is coming over to wash the dishes, or or any of that other stuff, either. dang.


----------



## mactech (Feb 27, 2005)

seriously.. 
the safemode log was saved to notepad...i'm don't know if that changed the format somehow, the newer one, ithink i did as always. they kinda all look alike to me. having read a few of them now,i still don't know what i'm looking at, however i do begin to notice some things. 
***
a few questions for clarification per mosaic's previous post (perhaps dumb questions)

#1-"fix it" means run hjt- select the file->fix--- ithink i get this much
(but i gotta wonder, what good does that do--didn't i (we) do that before, a few times, it just comes back...?)

#2"upload" means to the website used before when u said the av people need to see it..? (right?)
(if so...it's coming right after this) (what's the feedback on the previous upload?)(that was"spykiller" not "jotti" right?)

#3 i don't know what a key is-- however it seems logical it would want to reinstall at shutdown or reboot

#4 what's the difference betweHKCU and a HKLM, how could the one be the other, (this may not be a good question)

#5 i don't yet know what global startup is

#6"the current regular mode log" means the hjt on the normal reboot "after" the safe boot-(right?)
if i understand, new things will appear at normal startup hjt - but not at safe startup

#7 "restart in safe mode every time" does that mean alternate safe vs. normal start, and check for new each time
continously, several times, every time i start ?? and which comes first (which is the chicken and which the egg..nomal or safe)

#8 "clean up again" - does that mean fix the iehelper... or does it mean more than that..?
(anything new, if i understand..)

#9 "entry...will reinfect..." am i missing something here...? it sounds like going around and around...?

#10 are we expecting a few cycles of this to eliminate or will it just reinfect each time i reboot...?
in which case my best option is not to restart unless i have to, and just clean every time... sort of like a chronic neverending infection...?

#11 what is it doing do you think... is it spamming from my connection... destabalzing my connection... or my apps..is there any knowledge base on "iehelper"
is it related to "se.dll"----i haven't seen "about blank" for a while...(not since i deleted the old ie shortcut (Knock on wood))

#12 i've lost track of what these "entries" are doing why they're bad and what the goal is. is every new entry in hjt a bad player...?
(that's probably the dumbest question u ever heard, but i really don't know.)


----------



## Mosaic1 (Aug 17, 2001)

#1 Yes
#2 Yes
#3 Not Important you know that. Is important that I do. 

#4 HKCU = Current User and only effects your profile. HKLM = Entire System effected


#5 The Log will say Global 

#6" Just look for changes. If you start into safe mode, those changes will not have run. IF you allow regualr winodws, then the nasties will run. 

#7 YEs. Use safe Mode and then go into mormal mode. Check that log each time to seeif something is set to run which shouldn't.

#8 Clean up the bho and anything else which doesn't belong. Anything new

#9 If we remove it in safe mode ir will not run. 

#10 Let's try my method and see. 

#11 It may be stealing information.
It may just be something in addition to the se.dll problem.

#12 Some new ones are. If you haven't installed anything new on purpose, then a new entry is suspect.


----------



## mactech (Feb 27, 2005)

thanks for the clarifications...!
it will take me a bit to catch up..hang loose
i'm sure your method is at least as good as my lack of one
funny thing is i never used a credit card before in my life, online, until the 22nd of feb.. about when this started..(call me paranoid, i know..)


----------



## Mosaic1 (Aug 17, 2001)

The response to the scan of your file:


> so far only Sybari find it as
> PWS-Banker.j.dll


Search results on it. 
http://www.google.com/search?sourceid=navclient-menuext&ie=UTF-8&q=PWS-Banker.j.dll

I have long ago stopped thinking anyone was paranoid on the Internet. It's loaded with predators. Protect your private information and get in touch (not using the computer) with your bank.


----------



## mactech (Feb 27, 2005)

contacted my bank(was going to do it anyway)...they report no unauthorized activity -their reccommendation: keep checking...
***
the McAfee site had this to say:
"Presense of the file ASH.DLL in the WINDOWS SYSTEM directory (such as c:\windows\system32)"
i took a peek in there and didn't see it(don't know if it would show in WinEplor.
will keep an eye out as i do future hjt ect. scans...
***
does this mean the people at spyblaster think this is related to iehelper..? is it related to se.dll..?
i suppose we are finding whatever we can, that i may have picked up along the way, without playing favorites...
i'm just trying to understand the nature of "the beast"..
is one bug part of the other bug, is this some old stuff from who knows when..? or am i picking up new stuff every day faster than i can get rid of it...? if that's the case i don't know how you good people have a spare minute from cleaning your own, to help others...taking care of my own machine is fast becoming a full time job, wherein cleaning the machine becomes the purpose of the machine...(never mind the work for which it was originally intended..)
pehaps i'm going off the deep end a bit here. - whew..! it was good to get that off my chest...
***
now i'll go back and try to follow instructions...and clean and reclean,
and clean some more.
( i'm starting to feel like the doughnut guy(.."got to make the doughnuts"...))


----------



## mactech (Feb 27, 2005)

ok, i'm confused again..
looked in win explorer for this: C:\WINDOWS\x~v\
don't see it...folder options wide open, showing hidden f&f, not hiding sytem folders, (managing pairs of web pages as single folder.?)
do a search and search opens folder with 5 files...
-one of which is a log file...
open the log file, and its full of all kinds of random and not so random stuff from my machine, my name, other names, passwords that even i had forgotten, names of people i know, various websites that i have searched, email contacts, bits and strings of thing i've written...u name it.
wierd religious phrases, reecent phone lookups, a lot of businees focus, business people i know, my old email address, my name ,address and telephone no. avrious email addresses i don' recognize
seems i recognize streams of dumps from the recycle bin...,email attachments,, seems to focus on names ect. and a lot of business stuff...maybe its more random and its just that the weight of my machine is toward business records,but it's spooky...
it's kinda intersting to see a snapshot of my life,this way...i hope the rest of the world is enjoying it
************
bottom line i'm not sure i want to upload this log file to anyone..intentionally that is.


----------



## mactech (Feb 27, 2005)

C:\WINDOWS\x~v\
tried to delete contents of search access denied
went into properties advance..deselected read only ->apply
but the change didn't take
couldn't delete
****
printed out contents of log file....it was six pages
***
you know..this is really starting to **** me off.
..iknow, iknow, don't get mad..get cleaning


----------



## Mosaic1 (Aug 17, 2001)

That is most definitely nasty. The log is your privacy and I understand that. But what else is in that folder please. And if this isn't cleared up soon, I am going to recommend a format and reinstall. Can I have the names and locations of anything you did find please?


----------



## mactech (Feb 27, 2005)

i uplaoded to spykiller for u
the file contained 5 files
i edited names and address from log and included it in upload
spykiller browse did not see my zip so i attached individual files
5 attachments
if u need the unedited log for some reason.. i'l consider
i only cut out my name address email and passwords, and associates names and other wise left it intact


----------



## mactech (Feb 27, 2005)

i'm looking at a new machine anyway-dell has a cheapie for $299 i can take this one offline cheaper than the time to reinstall all the software and back up files ect ect.. this thing is 4 yrs old, but still a soldier.


----------



## dvk01 (Dec 14, 2002)

the um.dll seems to be a password stealerand specifiaclly goes for AOL passwords and user log in names

I'm checking the rest and will have to send them on for full examination


----------



## dvk01 (Dec 14, 2002)

this is the report about url_mon32.exe
Sandbox: W32/Malware; [ General information ]

* Accesses executable file from resource section.
* Creating several executable files on hard-drive.
* File length: 100523 bytes.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\x~v.
* Creates file C:\WINDOWS\x~vurl_mon32.exe.
* Deletes file c:\sample.exe.
* Creates file C:\WINDOWS\x~v\htm.cfg.
* Creates file C:\WINDOWS\x~v\um.dll.
* Creates file C:\WINDOWS\SYSTEM\iehelper.dll.
* Creates file C:\WINDOWS\x~v\mn.log.
* Creates file bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
* Creates file bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

[ Changes to registry ]
* Creates value "rfv"="C:\WINDOWS\x~vurl_mon32.exe arg1" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "Start Page"="about:blank" in key "HKLM\Software\Microsoft\Internet Explorer\Main".
* Creates key "HKCR\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}".
* Sets value "Server"="195.242.213.55" in key "HKCR\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}".
* Sets value "Port"="21" in key "HKCR\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}".
* Sets value "Acc"="zippp2" in key "HKCR\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}".
* Sets value "Pass"="12qwaszx" in key "HKCR\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}".
* Sets value "rfv"="done" in key "HKCU\Software\Microsoft\Windows\CurrentVersion".

[ Changes to system settings ]
* Creates WindowsHook monitoring messages activity. (70.37 seconds taken)


----------



## mactech (Feb 27, 2005)

thanks derek..
i haven't used aol for 2yrs it seems.. i came to view it as an annoyance equal to a virus. it never seemed to completely uninstall,no matter what i tried, and they kept sending bills long after i had written them off. i'm tempted to email them their own personal copy of my recently acquired entities, but they'd probably just send me another bill.
thanks for the feedback on the upload...
*** are these things somehow shared among av services for protection of the general public..? ***
my bank didn't seem to be overly concerned with the specifics,and didn't much have anyone working on it. it'd be ironic if they woke up one morning and their customers acct.s had been depleted and their vaults were empty, except for the little bit of cash they had left laying around....


----------



## dvk01 (Dec 14, 2002)

I send them to a long list of antivirus companies, eventually they mostly get added


----------



## mactech (Feb 27, 2005)

"eventually"......that' reassuring


----------



## dvk01 (Dec 14, 2002)

well some AV companies add in minutes/hours & others and it's normally the major ones like Norton & mcaffee want all sorts of answers and take their time so I just send and if they add ok if not then hard luck


----------



## mactech (Feb 27, 2005)

here' some hjt logs...
* one normal before shut down...fixed iehelper didn't see the others
* one after safe restart
* one after normal restart...iehelper came right back
i'm not seeing the other stuff ...?
c:\windows\x ect
*what is smss and lsass

ifound an AOL and uninstalled it, uninstall a couple of other gizmos, and fixed some some stuff in hjt that i was tired of looking at...don't know what it was..hope i don't need it later...but, at this point i'm taking no prisoners.
-mac


----------



## mactech (Feb 27, 2005)

yea,derek the superficial technological gui seems to evolve along a different track from the underlying human nature


----------



## mactech (Feb 27, 2005)

if i didn't get these mixed up...
this is the most recent..starting up in normal iehelper came right back
***

Logfile of HijackThis v1.99.1
Scan saved at 3:40:25 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

i'm gonna just fix ie helper(again) , and go about my business for now, if more instuctions are forthcoming i'll (try to) follow them...
i'm gonna wait to post the old hjt logs (seems-most recent most pertinent)until u want to see'em...?
i don't feel like i'm too good at differentiating new entries yet...
i never did see those other ones, ...i'll get more used to it.
mac


----------



## mactech (Feb 27, 2005)

also i don't ever see hkcu's only hklm....
i'm gonna take a stab at it... 
hexadecimal key current user..
-huh? how's that..?


----------



## dvk01 (Dec 14, 2002)

You are not going to get rid of the iehelper.dll until we manage to delete the files in the C:\WINDOWS\x~v. directory tahgt create it & continue to recreate it 

wait until mo comes back on & she will work out a fix for you 

you can try this in the mean time 
boot into safe mode &

now run killbox and paste the first one of these lines into the box, select replace on reboot & use dummy then press the red X button,say yes to the prompt but no to reboot now 

then repeat with each line in turn, if it says file missing or if it says unable to delete/replace then make a note of the files and report back at the end ( tick unregister dll if it allows it )

C:\WINDOWS\x~vurl_mon32.exe.
C:\WINDOWS\system32\x~vurl_mon32.exe.
C:\WINDOWS\system\x~vurl_mon32.exe
C:\WINDOWS\x~v\url_mon32.exe
C:\WINDOWS\x~v\htm.cfg
C:\WINDOWS\x~v\um.dll
C:\WINDOWS\SYSTEM32\iehelper.dll
C:\WINDOWS\x~v\mn.log


then on the killbox top bar press tools/delete temp files and say yes to the prompt 

then reboot 

post a new hjt log and let's see if we have killed the files

Mo will work out a reg script to clean all that up afterwards


----------



## mactech (Feb 27, 2005)

avg virus vaukt now contains 12 files
was 11 initially
what's the best time to schedule an update...?
i guess every one want the new ones when thery're fresh
schedule too late and u may get hit...too early and u might be getting yesterday's news
paying customers probably get cued first
i changed to 6am
9am wasn't working
maybe 11 am would be better


----------



## mactech (Feb 27, 2005)

ok, i'll try the killbox
it may take me a bit...i'm kinda slow at first.. i used kbox once before


----------



## mactech (Feb 27, 2005)

here's the new hjt after the killbox..-looks a little better but still not sure what i'm looking at..
****
Logfile of HijackThis v1.99.1
Scan saved at 5:29:20 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PELMICED.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program

Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} -

C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -

http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -

http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} -

C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit

5.0\Program\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

oh, i see iehelper is back..


----------



## mactech (Feb 27, 2005)

boy..., the entir temp dir is gone, i'm afraid that may have been a mistake...don't some of the other progs need stuff in there to run...?


----------



## dvk01 (Dec 14, 2002)

The iehelper file now should be a dummy file that is harmless

You haven't deleted the entire temp directory just the ncontents and when it's needed by windows it will be recreated

now let's kill of the dummies 

now run killbox and paste the first one of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

then repeat with each line in turn, if it says file missing or if it says unable to delete/replace then make a note of the files and report back at the end 

C:\WINDOWS\x~vurl_mon32.exe.
C:\WINDOWS\system32\x~vurl_mon32.exe.
C:\WINDOWS\system\x~vurl_mon32.exe
C:\WINDOWS\x~v\url_mon32.exe
C:\WINDOWS\x~v\htm.cfg
C:\WINDOWS\x~v\um.dll
C:\WINDOWS\SYSTEM32\iehelper.dll
C:\WINDOWS\x~v\mn.log

then run HJT & fix the O2 Iehelper entry 

reboot & post a new log


----------



## dvk01 (Dec 14, 2002)

also boot into safe mode and run a HJT scan I would like to compare the 2 logs please


----------



## mactech (Feb 27, 2005)

i've been noticing a litle ghost window flash just barely for a fraction of a second at start up ... looks like it might be a dos window..for about 1/100th of a second...benn seeing it for several days but it just registered enogh for me to comment...? maybe nothing...paranoid...?

also got this from adesktop icon named windows.txt
****
regf       Pugf 
***********
huh?


----------



## mactech (Feb 27, 2005)

derek
here's the safemode log
*****
Logfile of HijackThis v1.99.1
Scan saved at 6:31:18 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [rfv] C:\WINDOWS\x~v\url_mon32.exe arg1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## dvk01 (Dec 14, 2002)

ok in safe mode fix this entry in HJT 
O4 - HKCU\..\Run: [rfv] C:\WINDOWS\x~v\url_mon32.exe arg1

reboot afterwards and do another log in safe mode and see if it's gone


----------



## mactech (Feb 27, 2005)

wordpad will save as .txt making log file hard to read as mosaic noted earlier unless i save as .log by selecting all files drop down
this happens with safe modeas i save to reboot
can the video reolution be set in safe mode- it's hard to read stuff-icould barely make out the killbox dialog buttons


----------



## mactech (Feb 27, 2005)

ok in safemode??
what about this enrty
O2 - BHO: IEHlprObj Class - {FD8953C6-823F-46ab-8669-3B2BBF3A9210} - C:\WINDOWS\system32\iehelper.dl


----------



## mactech (Feb 27, 2005)

oh i'm sorry u mean "ok"-go to safe mode and fix this entry
..


----------



## mactech (Feb 27, 2005)

ok derek
fixed this in safemode
O4 - HKCU\..\Run: [rfv] C:\WINDOWS\x~v\url_mon32.exe arg1
rebooted to safe ran hjt and here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:25 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

seems like i see ctfmon.exe


----------



## mactech (Feb 27, 2005)

also 
i get a desktop icon called readme.exe

i deleted it once and it's back
i think it opens a dos window..
i'm not fooling with it agin until someone says i should


----------



## Mosaic1 (Aug 17, 2001)

I just signed on and have read the latest. This is a persistent little bugger. Can you upload readme.exe please?


----------



## mactech (Feb 27, 2005)

so...
se.dll was one bugger
iehelper was another bugger
right?
and theyre both gone...right?


----------



## mactech (Feb 27, 2005)

i'll have to find it..give me a minute
readme.exe , that is..


----------



## Mosaic1 (Aug 17, 2001)

I'll wait. Yes. They appear to be gone, but then again you now have a new file. You and Derek did great!


----------



## mactech (Feb 27, 2005)

mosaic
u have mail at spykiller


----------



## Mosaic1 (Aug 17, 2001)

Thanks. I looked at it and can't tell much about what it is. You didn't double click on it did you?

May I see a new Hijackthis log please? 

I had it scanned and if it is nasty it is not yet recognized. There are no answers yet.


After I see the log I'll hopefully know more. Can you delete it by hand? If so, do that, See if it returns, If so, that's a bad sign.


----------



## Mosaic1 (Aug 17, 2001)

Here's a registry file to remove the other entries this added to your registry.

Download the zip attachment and extract the regfile to your desktop. It's name is remove.reg


Double click on remove.reg and then say yes to the confirmation box when it pops up.


----------



## Byteman (Jan 24, 2002)

Hi Mo, I had this up earlier...your attachment did not get attached for your last reply to mactech...I will delete this when I see you have fixed it... :up:


----------



## Mosaic1 (Aug 17, 2001)

Thanks Byteman,

No need for you to remove. 

Here's the attachment, Sorry.


----------



## Byteman (Jan 24, 2002)

Hiya Was just wondering if you fell asleep on top of the keyboard without clicking Upload......


----------



## Mosaic1 (Aug 17, 2001)

LOL Could be. Time for a break. Thanks again.


----------



## mactech (Feb 27, 2005)

-don't see "readme.exe" anymore on startup
still have millisecond duration splash window at start up..? maybe nothing..
-new istallations since beginning of thread..:
-firefox
-google desktop
-a v g
-partial reinstall of ms office due to loss of proplus.msl during clean-up
-various spy utils. mentioned in this thread
****
new hjt log (normal restart) follows...-just for good measure
***
the only entry i don't have some idea what it goes to is this
"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
****
Logfile of HijackThis v1.99.1
Scan saved at 11:49:39 AM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

ok - found this..
***
ctfmon - ctfmon.exe - Process Information

Process File: ctfmon or ctfmon.exe
Process Name: Alternative User Input Services

Description:
ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.


----------



## mactech (Feb 27, 2005)

awaiting "thumbs up" :up:


----------



## dvk01 (Dec 14, 2002)

Well it looks clear but we won't mark it solved until you have a had a few days surfing around in case it has hidden deeply and pops it ugly head up again


----------



## Mosaic1 (Aug 17, 2001)

If the Quick flash you see only started happening AFTER you installed AVG then that's AVG and nothing to worry about. When it opens, it minimizes itself to your systray. However, before that you get an extremely brief glimpse of its Window.

Did you download and extract the attachment and merge it into the registry to remove the entries this created?
http://forums.techguy.org:80/showthread.php?p=2417878


----------



## mactech (Feb 27, 2005)

i think maybe the quick flash came along w/ avg
*****
another variation of "about blank" might be with a totally blank IE homepage, (don't know) instead of "about blank" search page..i had that for a while... that woild almost be sneakier
*****
is there such thing as a "digest" of what has been learned..easiest route to removal...or is every set up unique, and sfest thing is shotgun approach->clean it all-u don't know what u may have...?


----------



## Mosaic1 (Aug 17, 2001)

About:Blank is an IE option. You open to a totally blank page. Your Home Page may have been reset to about:Blank after a cleanup.

You definitely need to increse your security. Firwallm router, or whatever needs goosing. that's another post though.

Be sure everything is in working order first. Then it is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.

After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html


----------



## mactech (Feb 27, 2005)

wake up mosaic... wake up mac..(some how i missed the whole thing above about remove.zip) (last thing i knew, i was on page 9)...
..-don't u ever sleep Byteman..?!?

anyway.. yes i did dblclik readme.exe(there'a sucker born every minute..)
yes..manual delete was ok..restarted a few times, and i don't see it back.
last hjt log above is after any sightings of readme.exe
will post new hjt in the morning..
head hitting keyboard........
mac


----------



## mactech (Feb 27, 2005)

"REMOVE REG HAS BEEN SUCESSFULY ENTERED INTO THE REGISTRY"
i guess i won't see it do anything..?


----------



## Mosaic1 (Aug 17, 2001)

That's correct. May I see a new Hijackthis log please?


----------



## mactech (Feb 27, 2005)

did a restart and here' new hjt
****
Logfile of HijackThis v1.99.1
Scan saved at 11:28:34 AM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

will flush system restore on your orders, capitan..
**
i've always been reluctant to use restore..never used it..i worked too hard to get it messed up just the way i like it..the idea of going back never appealed to me, didn't see the point..
i guess it doesn't fool with files, only system..?
they used to have a thing called "Go Back"...didin't like the sound of it..
if there'd have been a "go foward" i'd have pushed that button in a minute...


----------



## mactech (Feb 27, 2005)

GOT SOMETHING I CAN'T DELETE IN TEMP FOLDER
***
iec134.temp
***
may be nothing...i looked in there because i went to the gateway site...as it was loading win mssg came up saying popups were not blocked...
and two little postage stamp sized popups appeared in lower right...
went to close them and a title tooltip came out on one saying "about blank"...aarrrghhh...
the popup windows were real small ..nothing in them..that u could see w/out maximizing..
googled for iec134.temp...nothing

i'm not sure if my settings are different (lower) for the gateway site
it scanned my (gateway)machine for serial # as i was looking for some upgrades


----------



## dvk01 (Dec 14, 2002)

upload that temp file to spykiller and i'll check it out

it could be innocent as windows won't let you delete temp files that are in use and many updates or upgrades do use funny sounding temp names


----------



## mactech (Feb 27, 2005)

i'll upload the file...it said it was in use...
***
here's new hjt after reboot - don't see anything obvious..
***
Logfile of HijackThis v1.99.1
Scan saved at 5:43:16 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


----------



## mactech (Feb 27, 2005)

yea... it's gone now.. when i went to look for it..
..there's imt177.xml and a couple similar..
are they history files or what ..?
temp looks pretty empty


----------



## mactech (Feb 27, 2005)

dvk
uploaded some exe shortcuts from my desktop...
maybe updated drivers..don't know why they're on desktop
maybe i shouldn't upload willy-nilly..

i'm just overly alert/nervous, now, about IE.. internet is a basic life funtion these days..what's one to do..?

axtive x..? block this..,don't block that..?.."web site was blocked from..this..or that"...?.security alert dialogs..?. "check bar at top"..?
***
i don't know if i'm raising or lowering security, by checking these boxes, or not.....am i not getting images and streaming, that i would otherwise want for full function, of web sites that i visit..?
i'll get used to it, i suppose..


----------



## dvk01 (Dec 14, 2002)

you could always change browsers and use firefox or opera for day to day browsing and just keep IE in reserve for windows updates and the few badly coded sites that don't work in other browsers 

That's what I do and many other people as well


----------



## dvk01 (Dec 14, 2002)

what you uploaded was a corrupt zip file and all I could get out of it was a text file saying something about updating montor drivers so it looks OK and is probably part of the gateway updates you did


----------



## jadester48 (Jan 13, 2005)

I work in tech support at a school, so here we have quite a few machines currently running win98
We had this infection first appear just on one machine, a coupla months ago, but back then i didn't know about what it was, and assumed it was another adware that was easy to get rid of. It kept coming back, so eventually when i had a moment i looked into and found plenty of people having problems with this.
First thing, as has already been mentioned in this thread and elsewhere on this forum as well as other sites, it appears to have more than one form. Certainly, the first one we had was easier to get rid of than two others that have more recently appeared on other machines.
Secondly, i tried to take the chance to put together a list of URLs promoted by this b*tard. It's far from complete, but i figured if i could at least contact hosts for most of them and tell them waht's going on, they'd remove the sites.
I've not got much further than halfway through them, unfortunately several have yet to respond, one of the hosts was very good, a registrar for several of the domains (as i couldn't find the host name let alone a contact) was crap and didnt appear to have read my e-mail, as they used the defence about them not being the hosts. I'm almost certain i wrote "i know you're not the hosts but you are the registrar and i can't find the host details so could you pass this on..."
Anyway, at home i obviously checked out these URLs, with virus scanner and firewall running, and Sbybot's SD helper and Teatime, to check they were still up, etc.
Several of them give the impression of being some crappy little search engine with an affiliate scheme (there's loads of these, they usually pay per click sent through them). BUT, on closer look, at least two reside on the EXACT same address, just with differently-named PHP files (kinda random 4-letter names). Many other of the URLs are direct affiliate promotion URLs, you can tell if you've seen enough of these before, they have identifiers - usually just numbers - and some of them actually go through advertising sites. Now apart from the obvious, about the point of this hijacker being to earn some sneaky li'l twat some easy money, looking at how many variants appear to be poppnig up, I had the idea today that maybe the basic trojan has been written by one person, to be easily customized for use by a number of others, for them all to earn some easy cash. Of course, if we can get most of the promoted sites to close these suckers' accounts down, that may help a bit. I'll post the list when i get back home, i had to collect them all from all the separate files i've saved of the the source code of many of the popups. Also, the local .dll filename being used for the initial search page is "disguised" in hex. If you don't want to use regedit to find what the filename is, when the search site loads, View its source.
Then, at the top, where it has the page address but the name has loads of digit pairs separated by %s, just copy all the %s and pairs, and paste into the decoder at http://www.wight.info/iwindex/hexform.htm

DLLs i have come across as being this infection:
(all in c:\windows\system)
paffjc.dll - i only saw it as this on one machine, and initially when i googled it there were a couple of results, but no more, strangely
jcmj.dll
bilk.dll
hnfl.dll

Also, in the temp directory, one of the infections i just cleaned - actually i'm not certain that one's gone, but anyway - used sp.dll as opposed to se.dll
there also *appear* to be a couple of semi-randomly-named .tmp files created in c:\windows\temp\ i *think* as a result of this infection, although in each case i just disinfected, one .tmp file is still being created there, although the infection appears to be gone now. These temp files take the name form of
~df<something>.tmp
I've seen, for example,
~df7a65.tmp
~dfb98.tmp
~df1865.tmp
~df8f3e.tmp

the first time i noticed these, as a check i looked at the "last modified" times, and the .tmp file that was on there before i tried to disinfect was modified just 3 minutes before the sp.dll file
Also, on one machine - i've actually not checked the others yet, must go and do that - i found c:\windows\winint.bak file with following plaintext content:
[rename]
C:\WINDOWS\SYSTEM\HNFL.DLL=C:\WINDOWS\SYSTEM\GKHN.DLL

on that machine, hnfll.dll was the infection file
On that machine, i also deleted a C:\WINDOWS\HFFFJO.ini file, i think it was modified at around the same time, and also
C:\WINDOWS\Local settings\Application data\Microsoft\Internet explorer\Msimgsiz.dat

(a quick google shows that this file can be part of Total Control, another pest)
Now, it also appears this can be a legitimate file, BUT from what i can gather, Windows creates a new version if it doesn't exits where it's supposed to. Anyway, i deleted it and that machine still works fine. I deleted it because it was modified at around the same time as other apparently se.dll-related files
I HAVE actually got one of the infection .dlls, PAFFJC.dll, saved and could put it on disk, but i don't have the time to try and extract all the URLs promoted, and i don't have a non-network machine here to do it on. It does get detected as a virus, i think it was something.startpage.something, you get the idea.

As for the name, it seems to have taken inspiration from the 180Search Assistant, a piece of adware not quite so insidious. Unless this is just an evolution of that...(it used saie.dll as its main dll file)


----------



## mactech (Feb 27, 2005)

firefox and opera are basically what i've been doing lately..
ihad popup snaeak by firefox earlier today
..."casalamedia.com"..informed me that i had critical errors and offered to scan my pc...closed it
...opera crashes quite a bit,when going back and forth..not bad really...it is older version
so...that's the way it is...
mac


----------



## mactech (Feb 27, 2005)

can the various browsers be set to see each others bookmarks?
it doesn't seem that i'm seeing all of them (just getting started w/ firefox)
does path need to be set?
****
oh, look at me...i'm a senior member already..gee-whiz
***
ok, my first piece of advice, as a senior member, is...don't go on-line..!
if u do go on line ...don't use IE..
if u do use IE..then please get all of your updates and current a/v
****
and if u have aproblem,..submit it to techsupportguy forum..(where the real gurus live)
***
http://forums.techguy.org


----------



## mactech (Feb 27, 2005)

checking processes in task manager
***
first i googled is this...
***
Process File: crss or crss.exe
Process Name: W32.AGOBOT.GH Worm

Description:
crss.exe is a process which is registered as the W32.AGOBOT.GH worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it?s hostile attachment. The worm has it?s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process
***
found "info" here:
http://www.liutilities.com/products/wintaskspro/processlibrary/crss/
***
what to do...?


----------



## mactech (Feb 27, 2005)

also get this from same site as above
http://www.liutilities.com/products/wintaskspro/processlibrary/crss/
***
Process File: smss or smss.exe
Process Name: Session Manager Subsystem

Description:
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated. Note: smss.exe is also a process which is registered as the Win32.Ladex.a Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process


----------



## mactech (Feb 27, 2005)

and this...
***
Process File: spoolsv or spoolsv.exe
Process Name: Microsoft Printer Spooler Service

Description:
spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers. Note: spoolsv.exe is also a process which is registered as the Backdoor.Ciadoor.B Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process


----------



## mactech (Feb 27, 2005)

apparently EVERY windows process can be hawked by so-called white-hats trying to sell you a spyware removal tool, as a potential trojan/virus disguised as as legit process...sheeesh..!!
***
none of the exe's that i googled, from my task mgr., are using any cpu, so they must be very lazy viri, or real sys. processes..
mac


----------



## mactech (Feb 27, 2005)

Caveat \Ca"ve*at\, n. [L. caved let him beware, pres. subj. of cavere to be on one's guard to, beware.] [1913 Webster] 
caveat emptor n : a commercial principle that without a warranty the buyer takes upon himself the risk of quality..

1. (Law) A notice given by an interested party to some officer not to do a certain act until the party is heard in opposition; ...
2. CAVEAT EMPTOR. Let the purchaser take heed; that is, let him see to it, that the title he is buying is good. This is a rule of the common law, ...
This rule has been severely assailed, as being the instrument of falsehood and fraud; _but it is too well established to be disregarded. _ 
- Coop., Just. 611, n. See 8 Watts, 308, 309. 
***
(italics added -ed.)
***
mac(-ed.)


----------



## dvk01 (Dec 14, 2002)

if any of the processes you mention had been worms they would show in a hjt log as O4 entries 

the ones on your computer appar to be running from the correct location as genuine windows versions so are unlikely to be the worms

the worms normaly run from C:\windows or soem other loction apart from the proper location of C:\windows\system32


----------



## mactech (Feb 27, 2005)

derek
learn a bit every day
thanks
mac


----------



## jadester48 (Jan 13, 2005)

csrss.exe is an essential Windows XP service, not a virus


----------



## mactech (Feb 27, 2005)

no performance probs...seems all clear..
i notice a few new ones.. some that seem to be related to new nvidea drivers...
and a couple of "run once" entries... iwas told to look out for those..
something about "unicows" and "del customer"...(gateway..?)
***
no more obvious (to me) signs of previous problem.. (that is se.dll aboutblank)..knock on wood..
thanks ...
ms updates in place
avg in place
***
i've learned a lot..(still a bit of an idiot..) thanks so much..
***
mark it solved if the hjt looks clear to u...
***
Logfile of HijackThis v1.99.1
Scan saved at 9:50:22 PM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Autodesk Revit 5.0\Program\revitlic.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\mac\My Documents\Hijack This folder\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CF1DelUnicows] cmd /C del C:\DOCUME~1\mac\LOCALS~1\Temp\unicows.dll
O4 - HKCU\..\RunOnce: [CF1DelEXE] cmd /C del C:\DOCUME~1\mac\LOCALS~1\Temp\Customer-4.3.2.6.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRA~1\buzzsaw.com\common\PMPROT~2.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\Program Files\Autodesk Revit 5.0\Program\lmgrd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


----------



## dvk01 (Dec 14, 2002)

reboot & see if these 2 are fone
O4 - HKCU\..\RunOnce: [CF1DelUnicows] cmd /C del C:\DOCUME~1\mac\LOCALS~1\Temp\unicows.dll
O4 - HKCU\..\RunOnce: [CF1DelEXE] cmd /C del C:\DOCUME~1\mac\LOCALS~1\Temp\Customer-4.3.2.6.exe

if they are still there fix them with HJT

then reboot again and run kilbox Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything


----------



## mactech (Feb 27, 2005)

those runonce entries didn't reappear @ restart
***
ran adaware later on, and some iehelper things showed up ...removed them...here's adaware log before removal
***

Ad-Aware SE Build 1.05
Logfile Created on:Thursday, March 24, 2005 2:20:40 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R34 23.03.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Transponder(TAC index:10):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

3-24-2005 2:20:40 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 456
ThreadCreationTime : 3-24-2005 5:27:03 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 512
ThreadCreationTime : 3-24-2005 5:27:06 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 3-24-2005 5:27:46 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 3-24-2005 5:27:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
 LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 3-24-2005 5:27:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 744
ThreadCreationTime : 3-24-2005 5:27:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 788
ThreadCreationTime : 3-24-2005 5:27:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 852
ThreadCreationTime : 3-24-2005 5:27:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 896
ThreadCreationTime : 3-24-2005 5:27:49 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 3-24-2005 5:27:49 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1072
ThreadCreationTime : 3-24-2005 5:27:50 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1212
ThreadCreationTime : 3-24-2005 5:27:59 AM
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1228
ThreadCreationTime : 3-24-2005 5:27:59 AM
BasePriority : Normal
FileVersion : 7,1,0,285
ProductVersion : 7.1.0.285
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2004, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 1240
ThreadCreationTime : 3-24-2005 5:27:59 AM
BasePriority : Normal
FileVersion : 4.20.020
ProductVersion : 4.20.020 Windows NT 2002/12/10
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright (c) 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:15 [cdantsrv.exe]
FilePath : C:\WINDOWS\System32\DRIVERS\
ProcessID : 1292
ThreadCreationTime : 3-24-2005 5:27:59 AM
BasePriority : Normal
FileVersion : 3.27.000
ProductVersion : 3.27.000 Windows NT 2002/09/12
ProductName : CD-Secure/CD-Compress Windows NT
CompanyName : C-Dilla Ltd
FileDescription : C-Dilla RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright (c) Macrovision 1993-2002
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:16 [lmgrd.exe]
FilePath : C:\Program Files\Autodesk Revit 5.0\Program\
ProcessID : 1324
ThreadCreationTime : 3-24-2005 5:28:00 AM
BasePriority : Normal
FileVersion : 8, 0, 4, 0
ProductVersion : 8, 0, 4, 0
CompanyName : GLOBEtrotter Software Inc.
InternalName : LMGRD
LegalCopyright : Copyright © 2001, 1987
OriginalFilename : LMGRD.EXE

#:17 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1344
ThreadCreationTime : 3-24-2005 5:28:00 AM
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:18 [nvsvc32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1380
ThreadCreationTime : 3-24-2005 5:28:00 AM
BasePriority : Normal
FileVersion : 6.14.10.7184
ProductVersion : 6.14.10.7184
ProductName : NVIDIA Driver Helper Service, Version 71.84
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 71.84
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:19 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1436
ThreadCreationTime : 3-24-2005 5:28:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1508
ThreadCreationTime : 3-24-2005 5:28:01 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:21 [revitlic.exe]
FilePath : C:\Program Files\Autodesk Revit 5.0\Program\
ProcessID : 1600
ThreadCreationTime : 3-24-2005 5:28:02 AM
BasePriority : Normal

#:22 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1984
ThreadCreationTime : 3-24-2005 5:28:08 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:23 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 360
ThreadCreationTime : 3-24-2005 5:28:17 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:24 [pelmiced.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 432
ThreadCreationTime : 3-24-2005 5:28:20 AM
BasePriority : Normal
FileVersion : 1, 0, 7, 7
ProductVersion : 1.0.0.0
ProductName : MouseSuite 98
CompanyName : Primax Electronics Ltd.
FileDescription : Mouse Suite 98 Daemon
InternalName : pelmiced.exe
LegalCopyright : Copyright (c) 1997, Primax Electronics Ltd.
LegalTrademarks : Primax Electronics Ltd.

#:25 [point32.exe]
FilePath : C:\Program Files\Microsoft IntelliPoint\
ProcessID : 296
ThreadCreationTime : 3-24-2005 5:28:20 AM
BasePriority : Normal

#:26 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 436
ThreadCreationTime : 3-24-2005 5:28:20 AM
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:27 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 472
ThreadCreationTime : 3-24-2005 5:28:20 AM
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:28 [googledesktop.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 516
ThreadCreationTime : 3-24-2005 5:28:21 AM
BasePriority : Normal

#:29 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 704
ThreadCreationTime : 3-24-2005 5:28:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:30 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 596
ThreadCreationTime : 3-24-2005 5:28:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:31 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 752
ThreadCreationTime : 3-24-2005 5:28:21 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:32 [o9x00mc.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ProcessID : 624
ThreadCreationTime : 3-24-2005 5:28:25 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SMLMProxy Module
FileDescription : SMLMProxy Module
InternalName : SMLMProxy
LegalCopyright : Copyright 2000 - 2002
OriginalFilename : SMLMProxy.EXE

#:33 [googledesktopindex.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 2076
ThreadCreationTime : 3-24-2005 5:28:40 AM
BasePriority : Normal

#:34 [googledesktopcrawl.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 2128
ThreadCreationTime : 3-24-2005 5:28:49 AM
BasePriority : Normal

#:35 [googledesktopoe.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 2220
ThreadCreationTime : 3-24-2005 5:28:59 AM
BasePriority : Normal

#:36 [ntvdm.exe]
FilePath : C:\WINDOWS\system32\
ProcessID  : 3748
ThreadCreationTime : 3-24-2005 5:57:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : NTVDM.EXE
InternalName : NTVDM.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NTVDM.EXE

#:37 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3280
ThreadCreationTime : 3-24-2005 7:19:44 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Transponder Object Recognized!
Type : Regkey
Data : 
Category : Data Miner
Comment : 
Rootkey : HKEY_CLASSES_ROOT
Object : iehlprobj.iehlprobj

Transponder Object Recognized!
Type : RegValue
Data : 
Category : Data Miner
Comment : 
Rootkey : HKEY_CLASSES_ROOT
Object : iehlprobj.iehlprobj
Value :

Transponder Object Recognized!
Type : Regkey
Data : 
Category : Data Miner
Comment : 
Rootkey : HKEY_CLASSES_ROOT
Object : iehlprobj.iehlprobj.1

Transponder Object Recognized!
Type : RegValue
Data : 
Category : Data Miner
Comment : 
Rootkey : HKEY_CLASSES_ROOT
Object : iehlprobj.iehlprobj.1
Value :

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 4

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

2:48:24 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:27:44.313
Objects scanned:180557
Objects identified:4
Objects ignored:0
New critical objects:4


----------



## dvk01 (Dec 14, 2002)

If adawre fixed them then it should be ok 

post a new HJT log please to check


----------

