O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Reboot your computer.
-----
Run "Disk Cleanup" again, and allow it to remove everything it finds.
-----
You'll need to download
uninst.exe to remove the 'peper' infection, then:
1. run
uninst.exe ...
(first pass).
2. reboot your computer.
3. run
uninst.exe ...
(final pass).
Note: You must have an active internet connection, each time this program is run, for it to properly work.
-----
Now, goto www.trendmicro.com and click "Free Online Scan". When it's down, select all available drive, then click "Scan"
-----
Run AdAware SE Personal and SPybot again just to see if they pick something else up. Especially temporary files located here:
C:\documents and settings\admin\local settings\temp\
After performing all of the iinstructions in your last post, here is my Hijack This Log file. Once again, I replaced the word s e x with ??? and put an asterisk before and after the line where I made this change. I don't know what that file is. Could I delete it without causing a big problem. Then I could post my log files here without making any changes.
Thanks in advance for your help.
Logfile of HijackThis v1.99.0 Scan saved at 3:07:33 PM, on 12/29/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I ran the online scan and have some cleanup work to do to get rid of some Trojan Horse items. After I do what TrendMicro indicated I need to clean up, I will rerun a HiJackThis log but that may end up being tomorrow.
I have done everything that you suggested in the last post and have attempted to get everything fixed. I feel that I must have done something wrong now because I can't get hijack this to run on my computer anymore. I uninstalled it and reinstalled it and it starts and runs for a while then it encounters a problem and stops. Ugh!
I know that I still have a virus that I can't seem to eliminate and I also get something that I cannot uninstall nor can I delete the files. They are in my c:\Program Files\common files\wintools\folder. I have tried to unistall them, I have tired to delete them and I have tried everything I can think of to get rid of them but they seem to be impossible to eliminate. They still show up as problems when I run ad-aware.
The last time I was able to get a HIJack this log, this is what it looked like:
Logfile of HijackThis v1.99.0
Scan saved at 3:33:22 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I have installed and run the virus software you siggested and it keeps finding a file in
C:\windows\system32\iplpwo.dll that is says is a virus. I have tried to heal it, to quarantine it, to delete it and although I appears that I am successful at the time, it comes right back when I reboot. What should I so next? I am at a loss and I am getting tired of my system locking up.
Ok, let's fall back on a prior version and see if that will work - you can download the last version
here. Let me know if that version (1.98.2) will work; it's the link at the top of the page. That way we can see exactly what we have yet to remove.
Logfile of HijackThis v1.98.2 Scan saved at 5:23:44 PM, on 1/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Don't reboot your computer until we are completely done, otherwise, some of those randomly named trojans might 'change' names on us.
-
Let's pull back the sleeves, open the toolbox, and bring out some hammers...
Go to
Add/Remove programs and uninstall the following:
Virtual Bouncer
Run HiJackThis, click "Config...", then "Misc Tools", then "Open process manager". While holding down the CTRL key, locate and click on each of the following entry(s), so that all are highlighted at the same time.
C:\Program Files\Common Files\WinTools\WToolsS.exe C:\documents and settings\admin\local settings\temp\sujbG.exe C:\WINDOWS\System32\dp-him.exe C:\WINDOWS\System32\blackbox.exe rsaill.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe C:\documents and settings\admin\local settings\temp\pZip7Zw.exe C:\documents and settings\admin\local settings\temp\hRRb.exe C:\documents and settings\admin\local settings\temp\LQ.exe C:\documents and settings\admin\local settings\temp\TEp.exe C:\documents and settings\admin\local settings\temp\Pc.exe C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe C:\Documents and Settings\Admin\Application Data\osoa.exe C:\WINDOWS\system32\w?auboot.exe
Double-check and make sure nothing else is highlighted - click "Kill process". Now, refresh the list, recheck and make sure they're gone. You might have to repeat this process a few times to get them. These types of problems have a really bad habit of restarting each other. If it seems, after multiple attempts, impossible, move on to the next step.
Run "
Disk Cleanup" and allow it to delete everything it finds; especially temporary files.
Now, just under the process task list, click "back", then:
1. click "
Config..."
2. click "
Misc Tools"
3. click "
Delete a file on reboot"
4. browse to, then
double-click on each of the file(s) below, one at a time, if present:
C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINDOWS\ZServ.dll C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll C:\WINDOWS\system32\qgc.dll C:\Documents and Settings\Admin\Local Settings\Temp\ZmX.dll C:\documents and settings\admin\local settings\temp\sujbG.exe C:\WINDOWS\System32\dp-him.exe C:\WINDOWS\System32\blackbox.exe rsaill.exe <=== You'll have to locate this one.
C:\PROGRA~1\VBouncer\VirtualBouncer.exe C:\documents and settings\admin\local settings\temp\pZip7Zw.exe C:\documents and settings\admin\local settings\temp\hRRb.exe C:\documents and settings\admin\local settings\temp\LQ.exe C:\documents and settings\admin\local settings\temp\TEp.exe C:\documents and settings\admin\local settings\temp\Pc.exe C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe C:\Documents and Settings\Admin\Application Data\osoa.exe
5. when prompted to "
Reboot Now", after selecting each file, select "
No"
Now, let's open a
command prompt and unregister the dll(s) we're going to remove, by entering the following:
I have done everything that you sugested but there were some files that I could not locate. Here is the revised log file.
Logfile of HijackThis v1.98.2
Scan saved at 7:53:59 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Your welcome! It looks like we've gotten everything; your log looks good to me.
-
Ok, now for some cleanup...
1. Run "Disk Cleanup" and allow it to remove everything it finds.
2. Run AdAware SE Personal and Spybot S&D and allow them to remove any residual registry entry(s) left behind from the infection.
3. Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, then click "Scan".
4. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new restore point manually.
-
If the anti-virus scanner picks up anything in "System_Volume" then you'll need to disable system restore first, before doing any of the other steps, and run the virus scanner again. Be sure to re-enable it, and create a new restore point when your done.
Logfile of HijackThis v1.98.2 Scan saved at 8:30:44 PM, on 1/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Excellent work! It looks like there's just a few more entry(s) to go...
Go to Add/Remove programs and remove the following, if present:
TBPS
anything with 'toolbar' anywhere in the entry.
Be careful not to remove any personal or system software.
-
If the toolbar was successfully un-installed, you can skip the following steps and just post back a new hijackthis log.
Now, let's run
HiJackThis, then:
1. click "Config..." 2. click "Misc Tools" 3. click "Delete a file on reboot" 4. browse to, then double-click on each of the file(s) below, one at a time, if present:
Midnight Star
4.8K Posts
0
December 29th, 2004 16:00
WowZa!!! ... Are you using regular AdAware, or AdAware SE?
Ok, let's try this...
-
Reboot your computer into "Safe Mode".
-----
Run "Disk Cleanup" and allow it remove everything it finds. Especially temporary files located here:
C:\documents and settings\admin\local settings\temp\
-----
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O4 - Global Startup: APC UPS Status.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
Now, with all windows closed except HiJackThis, click " Fix checked".
Reboot your computer.
-----
Run "Disk Cleanup" again, and allow it to remove everything it finds.
-----
You'll need to download uninst.exe to remove the 'peper' infection, then:
1. run uninst.exe ... (first pass).
2. reboot your computer.
3. run uninst.exe ... (final pass).
Note: You must have an active internet connection, each time this program is run, for it to properly work.
-----
Now, goto www.trendmicro.com and click "Free Online Scan". When it's down, select all available drive, then click "Scan"
-----
Run AdAware SE Personal and SPybot again just to see if they pick something else up. Especially temporary files located here:
C:\documents and settings\admin\local settings\temp\
-----
Post back a new log.
Mike.
BenRankin
9 Posts
0
December 29th, 2004 19:00
I am running regular AdAware.
After performing all of the iinstructions in your last post, here is my Hijack This Log file. Once again, I replaced the word s e x with ??? and put an asterisk before and after the line where I made this change. I don't know what that file is. Could I delete it without causing a big problem. Then I could post my log files here without making any changes.
Thanks in advance for your help.
Logfile of HijackThis v1.99.0
Scan saved at 3:07:33 PM, on 12/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\documents and settings\admin\local settings\temp\sujbG.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\blackbox.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\documents and settings\admin\local settings\temp\QmtZPIUa.exe
C:\WINDOWS\system32\qkvkir.exe
C:\documents and settings\admin\local settings\temp\lx6by8.exe
C:\documents and settings\admin\local settings\temp\AT4aPWK4.exe
C:\documents and settings\admin\local settings\temp\wqSWg4F.exe
C:\WINDOWS\system32\hnef32.exe
C:\Documents and Settings\Admin\Application Data\osoa.exe
C:\WINDOWS\system32\??chost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {912E7F3D-E8AA-EB2E-D78D-E7ABAA0150C0} - C:\WINDOWS\system32\ovimqw.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin\Local Settings\Temp\hLwz6.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sujbG] C:\documents and settings\admin\local settings\temp\sujbG.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [dmRdSwU] C:\documents and settings\admin\local settings\temp\dmRdSwU.exe
O4 - HKLM\..\Run: [840a556a3ae3] C:\WINDOWS\System32\blackbox.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [qF9i39U] rsaill.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QmtZPIUa] C:\documents and settings\admin\local settings\temp\QmtZPIUa.exe
O4 - HKLM\..\Run: [pZip7Zw] C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
O4 - HKLM\..\Run: [lx6by8] C:\documents and settings\admin\local settings\temp\lx6by8.exe
O4 - HKLM\..\Run: [AT4aPWK4] C:\documents and settings\admin\local settings\temp\AT4aPWK4.exe
O4 - HKLM\..\Run: [yat3yvd6] C:\documents and settings\admin\local settings\temp\yat3yvd6.exe
O4 - HKLM\..\Run: [wqSWg4F] C:\documents and settings\admin\local settings\temp\wqSWg4F.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104251668\EE\AOLHostManager.exe
O4 - HKLM\..\RunOnce: [cetec] regedit.exe /s C:\DOCUME~1\Admin\LOCALS~1\Temp\cetec.reg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
*O4 - HKCU\..\Run: [???] C:\WINDOWS\System32\???xx.exe*
O4 - HKCU\..\Run: [dhcpmon] C:\WINDOWS\System32\dhcpmon.exe
O4 - HKCU\..\Run: [boqsRVYmX] hnef32.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Admin\Application Data\osoa.exe
O4 - HKCU\..\Run: [Ronubfu] C:\WINDOWS\system32\??chost.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Midnight Star
4.8K Posts
0
December 29th, 2004 21:00
Yes you can. Let's try this...
-----
If your using an anti-virus program, do this...
Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, then click "Scan".
-
If not, do this...
Download, install and run AVG 7.x. Be sure to check for any available updates before beginning the scan.
http://www.grisoft.com/us/us_dwnl_free.php
-----
Let's see what those can do before we use HiJackThis.
Mike.
Midnight Star
4.8K Posts
0
December 29th, 2004 23:00
Ben,
That'll be just fine.
Mike.
BenRankin
9 Posts
0
December 29th, 2004 23:00
BenRankin
9 Posts
0
January 11th, 2005 20:00
Logfile of HijackThis v1.99.0
Scan saved at 3:33:22 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\documents and settings\admin\local settings\temp\sujbG.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\blackbox.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\admin\local settings\temp\QmtZPIUa.exe
C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
C:\documents and settings\admin\local settings\temp\lx6by8.exe
C:\WINDOWS\system32\qkvkir.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLHOS~1.EXE
C:\Documents and Settings\Admin\Application Data\osoa.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\d?dplay.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {029CE078-2FEF-7739-956C-2CA71A38C692} - C:\WINDOWS\system32\mqlalrzu.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin\Local Settings\Temp\4wnnqbB.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sujbG] C:\documents and settings\admin\local settings\temp\sujbG.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [dmRdSwU] C:\documents and settings\admin\local settings\temp\dmRdSwU.exe
O4 - HKLM\..\Run: [840a556a3ae3] C:\WINDOWS\System32\blackbox.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [qF9i39U] rsaill.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QmtZPIUa] C:\documents and settings\admin\local settings\temp\QmtZPIUa.exe
O4 - HKLM\..\Run: [pZip7Zw] C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
O4 - HKLM\..\Run: [lx6by8] C:\documents and settings\admin\local settings\temp\lx6by8.exe
O4 - HKLM\..\Run: [AT4aPWK4] C:\documents and settings\admin\local settings\temp\AT4aPWK4.exe
O4 - HKLM\..\Run: [yat3yvd6] C:\documents and settings\admin\local settings\temp\yat3yvd6.exe
O4 - HKLM\..\Run: [wqSWg4F] C:\documents and settings\admin\local settings\temp\wqSWg4F.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104251668\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [hRRb] C:\documents and settings\admin\local settings\temp\hRRb.exe
O4 - HKLM\..\Run: [xWphzu] C:\documents and settings\admin\local settings\temp\xWphzu.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [s e x] C:\WINDOWS\System32\s e x x x.exe
O4 - HKCU\..\Run: [dhcpmon] C:\WINDOWS\System32\dhcpmon.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Admin\Application Data\osoa.exe
O4 - HKCU\..\Run: [Vagrfro] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I have installed and run the virus software you siggested and it keeps finding a file in
C:\windows\system32\iplpwo.dll that is says is a virus. I have tried to heal it, to quarantine it, to delete it and although I appears that I am successful at the time, it comes right back when I reboot. What should I so next? I am at a loss and I am getting tired of my system locking up.
Thanks in advance for all of your fine help.
Ben Rankin
Midnight Star
4.8K Posts
0
January 11th, 2005 21:00
BenRankin
9 Posts
0
January 11th, 2005 21:00
Thanks Mike. Here is the log.
Logfile of HijackThis v1.98.2
Scan saved at 5:23:44 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\documents and settings\admin\local settings\temp\sujbG.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\blackbox.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
C:\documents and settings\admin\local settings\temp\hRRb.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\documents and settings\admin\local settings\temp\TEp.exe
C:\Documents and Settings\Admin\Application Data\osoa.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLServiceHost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\AMERIC~1.0B\waol.exe
C:\PROGRA~1\AMERIC~1.0B\shellmon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\SYSTEM32\w?auboot.exe
C:\Documents and Settings\Admin\My Documents\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {DE531530-D5A6-D073-801C-8E1D816119C3} - C:\WINDOWS\system32\qgc.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin\Local Settings\Temp\ZmX.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sujbG] C:\documents and settings\admin\local settings\temp\sujbG.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [840a556a3ae3] C:\WINDOWS\System32\blackbox.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [qF9i39U] rsaill.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [pZip7Zw] C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104251668\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [hRRb] C:\documents and settings\admin\local settings\temp\hRRb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LQ] C:\documents and settings\admin\local settings\temp\LQ.exe
O4 - HKLM\..\Run: [TEp] C:\documents and settings\admin\local settings\temp\TEp.exe
O4 - HKLM\..\Run: [Pc] C:\documents and settings\admin\local settings\temp\Pc.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [dhcpmon] C:\WINDOWS\System32\dhcpmon.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Admin\Application Data\osoa.exe
O4 - HKCU\..\Run: [Ozy] C:\WINDOWS\system32\w?auboot.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0B\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Midnight Star
4.8K Posts
0
January 11th, 2005 22:00
C:\documents and settings\admin\local settings\temp\sujbG.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\blackbox.exe
rsaill.exe
C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
C:\documents and settings\admin\local settings\temp\hRRb.exe
C:\documents and settings\admin\local settings\temp\LQ.exe
C:\documents and settings\admin\local settings\temp\TEp.exe
C:\documents and settings\admin\local settings\temp\Pc.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Documents and Settings\Admin\Application Data\osoa.exe
C:\WINDOWS\system32\w?auboot.exe
Now, just under the process task list, click "back", then:
2. click " Misc Tools"
3. click " Delete a file on reboot"
4. browse to, then double-click on each of the file(s) below, one at a time, if present:
C:\WINDOWS\ZServ.dll
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
C:\WINDOWS\system32\qgc.dll
C:\Documents and Settings\Admin\Local Settings\Temp\ZmX.dll
C:\documents and settings\admin\local settings\temp\sujbG.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\blackbox.exe
rsaill.exe <=== You'll have to locate this one.
C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
C:\documents and settings\admin\local settings\temp\hRRb.exe
C:\documents and settings\admin\local settings\temp\LQ.exe
C:\documents and settings\admin\local settings\temp\TEp.exe
C:\documents and settings\admin\local settings\temp\Pc.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Documents and Settings\Admin\Application Data\osoa.exe
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u WToolsB.dll
regsvr32 /u qgc.dll
regsvr32 /u ZmX.dll
Now, in the lower-right hand corner of HiJackThis click " Back" then " Scan", then check(tick) the following, if present:
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {DE531530-D5A6-D073-801C-8E1D816119C3} - C:\WINDOWS\system32\qgc.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin\Local Settings\Temp\ZmX.dll
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [840a556a3ae3] C:\WINDOWS\System32\blackbox.exe
O4 - HKLM\..\Run: [qF9i39U] rsaill.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [pZip7Zw] C:\documents and settings\admin\local settings\temp\pZip7Zw.exe
O4 - HKLM\..\Run: [hRRb] C:\documents and settings\admin\local settings\temp\hRRb.exe
O4 - HKLM\..\Run: [LQ] C:\documents and settings\admin\local settings\temp\LQ.exe
O4 - HKLM\..\Run: [TEp] C:\documents and settings\admin\local settings\temp\TEp.exe
O4 - HKLM\..\Run: [Pc] C:\documents and settings\admin\local settings\temp\Pc.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Admin\Application Data\osoa.exe
O4 - HKCU\..\Run: [Ozy] C:\WINDOWS\system32\w?auboot.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
BenRankin
9 Posts
0
January 11th, 2005 23:00
Scan saved at 7:53:59 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLServiceHost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\AMERIC~1.0B\waol.exe
C:\PROGRA~1\AMERIC~1.0B\shellmon.exe
C:\Program Files\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Documents and Settings\Admin\My Documents\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104251668\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKCU\..\Run: [dhcpmon] C:\WINDOWS\System32\dhcpmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0B\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Midnight Star
4.8K Posts
0
January 12th, 2005 00:00
Ben,
Your welcome! It looks like we've gotten everything; your log looks good to me.
-
Ok, now for some cleanup...
1. Run "Disk Cleanup" and allow it to remove everything it finds.
2. Run AdAware SE Personal and Spybot S&D and allow them to remove any residual registry entry(s) left behind from the infection.
3. Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, then click "Scan".
4. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new restore point manually.
-
If the anti-virus scanner picks up anything in "System_Volume" then you'll need to disable system restore first, before doing any of the other steps, and run the virus scanner again. Be sure to re-enable it, and create a new restore point when your done.
Mike.
BenRankin
9 Posts
0
January 12th, 2005 00:00
Mike
Thanks again for your help.
Hiere is the latest log.
Ben
Logfile of HijackThis v1.98.2
Scan saved at 8:30:44 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\110425~1\EE\AOLServiceHost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\AMERIC~1.0B\waol.exe
C:\PROGRA~1\AMERIC~1.0B\shellmon.exe
C:\Documents and Settings\Admin\My Documents\My Documents\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104251668\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKCU\..\Run: [dhcpmon] C:\WINDOWS\System32\dhcpmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0B\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Midnight Star
4.8K Posts
0
January 12th, 2005 00:00
BenRankin,
Excellent work! It looks like there's just a few more entry(s) to go...
Go to Add/Remove programs and remove the following, if present:
TBPS
anything with 'toolbar' anywhere in the entry.
Be careful not to remove any personal or system software.
1. click "Config..."
2. click "Misc Tools"
3. click "Delete a file on reboot"
4. browse to, then double-click on each of the file(s) below, one at a time, if present:
C:\Program Files\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
5. when prompted to "Reboot Now", after selecting each file, select "No"
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
Now, with all windows closed except HiJackThis, click "Fix checked".
Locate and delete the following item(s). Make sure your able to view system files/ folders:
folders...
C:\Program Files\Toolbar
Dont reboot your computer just yet and post back a new log.
Mike.