BetaArchive Logo
Navigation Home Screenshots Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 27d, 22h, 58m | CPU: 21% | MEM: 5733MB of 10573MB used
{The community for beta collectors}

Forum rules


Any off topic discussions should go in this forum. Post count is not increased by posting here.
FTP Access status is required to post in this forum. Find out how to get it


Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next
Author Message
 PostPost subject: wierd internet/program probs, probubly eff'd up registry        Posted: Sun Aug 26, 2007 4:23 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
well im using media center 2002 on this 2-4 year old compy, and i am running into some problems... sorry about the long list:

1)the only programs that can use my internet connection on my compy are web browsers and limewire (got rid of it though)

2)i can't access secure internet sites (i.e. anything with the prefix "https://"

3)when i look at my internet connections folder, its empty, and if i try to refresh it, it says "the network connections folder was unable to retrieve the list of network adaptors running on your system, please make sure the network connections service is enabled and running" even if the service is enabled

4)the "network setup wizard" is gone, the icon is there in control panel, but nothing happens...

5)microsoft installer service is gone, it says it cant be accessed...

6) and here's the kicker... for some reason, a bunch of programs aren't working anymore, mspaint can only load once, if you close it, it takes about an hour (im not kidding, i timed it...) to load back up, microsoft word locks up when it trys to load, and a couple other progs are shot too...

i dont have an install disk for my compy, so i can't do a fresh install, and i'm 50/50 on the idea of this being either a corrupt registry, or it being a virus (since my virus scanner cant update its definitions...)... any ideas?

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Sun Aug 26, 2007 5:10 am 
Reply with quote
FTP Access
Offline

Joined
Fri Nov 03, 2006 10:51 pm

Posts
164

Location
massachusetts

Favourite OS
4074
it sounds like a really bad virus- my advice is to download the definitions manually on another computer (if your antivirus lets you do that) and then update the antivirus from that definition file


Top  Profile
 PostPost subject:        Posted: Sun Aug 26, 2007 5:56 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
i was thinking that, but my norton AV expired right after this happened, i was planning on installing AVG on a flash drive on my other pc, updating the definitions, then run it on the near-death xp comp.....do you think this i'll work?

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Sun Aug 26, 2007 6:15 am 
Reply with quote
Donator
Offline

Joined
Sat Sep 30, 2006 5:00 pm

Posts
3557
If you want my advice, don't run any virus scanners on that same XP install as it might indeed have been compromised, so I wouldn't trust it anymore. Instead, boot off of another safe media, i.e. a bootable Linux or Windows PE CD containing a virus scanner with recent databases and then scan your system from there. Really, if you've managed to get a rootkit or something like that, it could also influence the virus scanner to claim the system is clean while it's actually not. Thus, I striongly recommend to use a read-only (impoortant!) boot media to do the scan.


Top  Profile
 PostPost subject:        Posted: Sun Aug 26, 2007 6:27 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
i did it a rootkit scan, it didn't find anything (but if what your saying is true, its probubly wrong...), i did a spyware scan, and it found like 4-5 trojans and 7-8 worms(how that works, i dunno, i was just looking for spyware!), so i know for a fact i have a LOT of work to do.... i'm gonna try your method empirium and see what happens, i just have a couple other questions..., what bootable OS should i use? i want to use AVG for this job, does linux support it? if not, whats a good, free alternitive?

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Sun Aug 26, 2007 7:13 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Aug 30, 2006 10:06 pm

Posts
2393
It sounds as though the best thing would be to just format the drive and do a fresh installation of Windows - would you be able to borrow or download an installation disc? (this is even legal if your PC has a Windows licence sticker on it somewhere)

_________________
Image


Top  Profile
 PostPost subject:        Posted: Sun Aug 26, 2007 7:47 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
closest thing i can get to the install disk i need is xp professional sp2, but im not completely sure if it ill mess up my compy because i have MCE 2002 on it (sorry if i sound a little noobish, xp's really not my forte...)

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Sun Aug 26, 2007 8:04 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Aug 30, 2006 10:06 pm

Posts
2393
If you've got a product key for XP Professional then that'll be fine, though you won't have the Media Centre application any more and won't be able to use an MCE product key if you have one. You'll need to completely remove MCE and then install Pro.

_________________
Image


Top  Profile
 PostPost subject:        Posted: Sun Aug 26, 2007 10:28 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
yeah...i was going to save the clean install as a last resort, and the person i'm fixing this for wants the media center, the person i'm fixing this for has loaded this computer up with so much stuff that its become impossible to back it all up.... i think i'll try the bart pe method, but before i do, is it ok to use an xp professional disk to build the bart pe boot disk for a MCE pc? again, i know i sound a bit noobish, so bear with me here....

_________________
Image


Last edited by teriaki 511 on Mon Aug 27, 2007 4:10 am, edited 1 time in total.

Top  Profile  YIM
 PostPost subject:        Posted: Sun Aug 26, 2007 12:48 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Oct 04, 2006 11:02 pm

Posts
514
teriaki 511 wrote:
yeah...i was going to save the clean install as a last resort, and the person i'm fixing this for wants the media center. the person i'm fixing this for has loaded this computer up with so much stuff that its become impossible to back it all up.... i think i'll try the bart pe method, but before i do, is it ok to use an xp professional disk to build the bart pe boot disk for a MCE pc? again, i know i sound a bit noobish, so bear with me here....


Yeah, a Pro disc will be fine to make a PE disc from.

Frankly though I'd reinstall if it's that infected, I'm sure you could find an MCE disc somewhere... try the owner of the machine... You don't even need to remove everything, just install over the existing Windows install, then install AV/anti-adware apps and scan away.


Last edited by moonlit on Mon Aug 27, 2007 1:13 pm, edited 1 time in total.

Top  Profile
 PostPost subject:        Posted: Sun Aug 26, 2007 1:17 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
thanks for the tipoff moonlit i fixed my post, anyway, ill have to dredge up my old xp disk, i figure ill make a hard drive image first, that way ill at least be able to reverse the install (kinda).

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Sun Aug 26, 2007 10:12 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Oct 04, 2006 11:02 pm

Posts
514
teriaki 511 wrote:
thanks for the tipoff moonlit i fixed my post, anyway, ill have to dredge up my old xp disk, i figure ill make a hard drive image first, that way ill at least be able to reverse the install (kinda).


Bear in mind that if you image the disk it will contain the malware so be very careful what you do with the image after... don't run any exe files contained on it, be very careful with documents that could contain macros and video/graphics files that could contain malicious code in them and scan it thoroughly.


Top  Profile
 PostPost subject:        Posted: Sun Aug 26, 2007 10:18 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Tue Jun 19, 2007 5:55 pm

Posts
549

Location
UK

Favourite OS
Windows NT 4.0
Use Avast Anti virus. Free, updated regularly and has a real time scanner.

_________________
My Website -
Ecclesia Semper Reformanda Est


Top  Profile  WWW
 PostPost subject:        Posted: Sun Aug 26, 2007 10:25 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Wed Oct 04, 2006 11:02 pm

Posts
514
Yeah, I recommend AVG... I would be running AVG right now if it weren't for the fact that home versions of most AVs won't run on server OSs :(

If you do need an AV for a server OS though I can't recommend anything other than the Avast Server Edition trial, it's great. It has a time limit but I think it's like 2 months or something.


Top  Profile
 PostPost subject:        Posted: Mon Aug 27, 2007 3:46 am 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Mar 15, 2007 5:11 pm

Posts
338

Location
Devon, United Kindom
If you post a HijackThis Log here, then i will analyse it and help you fix the PC

_________________
|3e|\|

Image
Image
The Number One HTTP Server On The Internet


Top  Profile
 PostPost subject:        Posted: Mon Aug 27, 2007 4:01 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
when you say post do you mean just copy/paste what was in the log?

here it is:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:52:54 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\regscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\HFS8OYEI\HiJackThis_v2[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_821d1d\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-4271303771-1927851687-1696862372-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4271303771-1927851687-1696862372-1008\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe (User '?')
O4 - HKUS\S-1-5-21-4271303771-1927851687-1696862372-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydi ... 0.0.48.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejewe ... er_v10.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9752 bytes

the reason there are 4 extra iexplore.exe processes is that recently, when i power on the system, miniature window artifacts appear in the corner, they dont appear to have anything to them, they just sit there, in the top-left corner of the screeen... i forgot to mention this back when i listed the symtoms....

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Mon Aug 27, 2007 4:28 am 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Mar 15, 2007 5:11 pm

Posts
338

Location
Devon, United Kindom
yes, that's correct. I have some instructions for you to help fix this PC

Download ComboFix and save it to your desktop

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you. Please post the C:\ComboFix.txt so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C: then click on File > New > Folder and call it HJT , or another name of your choice. Then move HijackThis.exe to this new folder.

The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

--------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

iWinGames

--------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejewe ... er_v10.cab


Please remember to close all other windows, including browsers then click Fix checked.

--------------------

Please include the following in your next reply:

C:\ComboFix.txt
New HijackThis log

_________________
|3e|\|

Image
Image
The Number One HTTP Server On The Internet


Top  Profile
 PostPost subject:        Posted: Mon Aug 27, 2007 7:52 am 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
thanks for all the help apache, but the link to combofix is broken... ill try and search for a new link, then ill post the results.

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Mon Aug 27, 2007 12:28 pm 
Reply with quote
FTP Access
Offline

Joined
Mon Aug 27, 2007 2:33 am

Posts
81
The best thing for you to do would be to back up al of your important data and then do a clean install. Even if you get rid of the virus/spyware that caused the problem, I think the damage has already been done.


Top  Profile
 PostPost subject:        Posted: Mon Aug 27, 2007 1:15 pm 
Reply with quote
Donator
Offline

Joined
Sun Feb 11, 2007 4:48 pm

Posts
148

Location
UK
Combofix will be back up soon im sure...


Top  Profile  WWW  YIM
 PostPost subject:        Posted: Mon Aug 27, 2007 2:03 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
don't get me wrong...i know i will brobubly never get thatcompy back up and running, even with a reinstall, the chances of that fixing it are dicey at best....i know from experience with my 98se box, a reinstall actually made it worse!

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Mon Aug 27, 2007 2:18 pm 
Reply with quote
FTP Access
Offline

Joined
Mon Aug 27, 2007 2:33 am

Posts
81
I don't see how formatting and doing a clean install could make it worse. Now, if you are talking about a repair install, then I agree. Stay away from those. Sometimes they fix the problem, sometimes the make it worse.


Top  Profile
 PostPost subject:        Posted: Mon Aug 27, 2007 4:25 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Mar 15, 2007 5:11 pm

Posts
338

Location
Devon, United Kindom
there is currently a problem with the combofix site at the moment, it should be back up soon

_________________
|3e|\|

Image
Image
The Number One HTTP Server On The Internet


Top  Profile
 PostPost subject:        Posted: Tue Aug 28, 2007 6:58 pm 
Reply with quote
FTP Access
User avatar
Offline

Joined
Mon Aug 20, 2007 4:58 pm

Posts
274

Location
The Bermuda Triangle

Favourite OS
WFW 3.11/Win 98SE
i finally got combofix heres the results:

ComboFix 07-08-29.2 - "HP_Administrator" 2007-08-28 18:10:20.1 - NTFSx86


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\regscan.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-29 )))))))))))))))))))))))))))))))


2007-08-28 18:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 15:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-08-28 13:14 <DIR> d-------- C:\Program Files\InterMute
2007-08-27 13:50 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-22 16:07 21,008 --------- C:\WINDOWS\system32\Ctl3d.dll
2007-08-22 16:07 <DIR> d-------- C:\Program Files\Serif
2007-08-21 22:53 98 --a------ C:\WINDOWS\system32\mhncache.dat
2007-08-21 15:49 <DIR> d-------- C:\Program Files\XrX Logo Utility
2007-08-21 14:19 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-21 14:19 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-21 14:19 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-21 13:40 <DIR> d-------- C:\WINDOWS\system32\Cache
2007-08-21 13:38 <DIR> d-------- C:\Inetpub
2007-08-16 23:06 <DIR> d-------- C:\Program Files\TweakNT
2007-08-16 13:56 <DIR> d-------- C:\Program Files\Viewpoint
2007-08-15 11:50 <DIR> d-------- C:\Program Files\Puppy Luv
2007-08-11 21:24 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-11 20:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-11 20:54 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2007-08-11 20:54 <DIR> d-------- C:\Program Files\Belarc
2007-08-11 20:53 <DIR> d-------- C:\Program Files\CCleaner
2007-08-11 20:03 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-08-11 19:54 <DIR> d-------- C:\Program Files\SpeedFan
2007-08-07 18:22 <DIR> d-------- C:\Program Files\BreakPoint Software
2007-08-07 18:16 <DIR> d-------- C:\Program Files\Hexprobe
2007-08-07 11:58 <DIR> d--h----- C:\WINDOWS\MSDOWNLD.TMP
2007-08-07 11:56 92,416 --a------ C:\WINDOWS\system\suw16x.dll
2007-08-07 11:56 51,392 --a------ C:\WINDOWS\system\MSNLS.DLL
2007-08-07 11:56 5,073 --a------ C:\WINDOWS\REG16X2.DAT
2007-08-07 11:56 450,560 --a------ C:\WINDOWS\system\advins16.dll
2007-08-07 11:56 45,056 --a------ C:\WINDOWS\system\RB32.DLL
2007-08-07 11:56 38,400 --a------ C:\WINDOWS\system\RUNONC16.EXE
2007-08-07 11:56 311,296 --a------ C:\WINDOWS\system\SETUPENG.DLL
2007-08-07 11:56 102,416 --a------ C:\WINDOWS\system\sucomct2.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 18:25 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-16 13:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-15 19:56 --------- d-------- C:\Program Files\GameDev
2007-08-11 23:07 --------- d-------- C:\Program Files\Macrogaming
2007-08-11 20:53 --------- d-------- C:\Program Files\Yahoo!
2007-08-04 07:51 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\HP
2007-07-13 08:26 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-09 19:51 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 15:57 162816 --a------ C:\WINDOWS\system32\drivers\RT25USBAP.SYS
2007-07-07 13:09 --------- d-------- C:\Program Files\Google
2007-07-06 22:06 --------- d-------- C:\Program Files\Super Mario Blue Twilight DX
2007-06-29 11:06 --------- d-------- C:\Program Files\PopCap Games
2007-06-29 09:48 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2006-11-11 21:03 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-07-11 18:38 524288 --a------ C:\DOCUME~1\HP_ADM~1\SONIC2.BIN
2006-07-07 20:23 524288 --a------ C:\DOCUME~1\HP_ADM~1\SONIC1.bin
2006-02-19 20:46 251 --a------ C:\Program Files\wt3d.ini
2005-05-12 10:36 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll
1999-08-10 18:31 194899 --a------ C:\DOCUME~1\HP_ADM~1\TEXTCRK.EXE
2006-06-11 23:32:53 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo 820 Series"="C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_821d1d\E_S0EIC1.exe" [2002-04-10 03:00]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2005-03-29 20:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 14:10]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 14:06]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 02:35]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 13:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 10:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 04:07 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 03:19 C:\WINDOWS\arpwrmsg.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-17 09:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-19 17:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1140383566\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPLink]
C:\Program Files\PSPLink\\PSPLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wwSecSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"LightScribeService"=2 (0x2)
"ISSVC"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"a2free"=2 (0x2)



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e41b117-d331-11db-ac47-00038a000015}]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4dff922-a181-11da-aa18-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
2007-08-02 20:27:02 C:\WINDOWS\Tasks\HPCeeSchedule.job - C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
2007-08-25 00:17:49 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
2007-08-28 18:26:25 C:\WINDOWS\Tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 18:14:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-29 18:15:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-29 18:15

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:58:46 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\My Documents\neptune\HiJackThis_v2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_821d1d\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [iWinArcadeIECleanup] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\iWinArcadeAutocleanup.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-4271303771-1927851687-1696862372-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4271303771-1927851687-1696862372-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydi ... 0.0.48.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8979 bytes

_________________
Image


Top  Profile  YIM
 PostPost subject:        Posted: Wed Aug 29, 2007 3:25 pm 
Reply with quote
Donator
User avatar
Offline

Joined
Thu Mar 15, 2007 5:11 pm

Posts
338

Location
Devon, United Kindom
How is the system behaving now? Are you having any other problems? Please follow these instructions:

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

--------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)


Please remember to close all other windows, including browsers then click Fix checked.

--------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\iWinGames

--------------------

Reboot to normal mode

--------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on Image located at the bottom of the page.
  2. A "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Image then click Image
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log.

_________________
|3e|\|

Image
Image
The Number One HTTP Server On The Internet


Top  Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next




Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2018

 

Sitemap | XML | RSS