Start a Conversation

Unsolved

This post is more than 5 years old

1025

April 16th, 2006 00:00

Trojan Horse and Adware Issues- HJT Log

I ran symantec and after scanning 80387 files, 344 were found to be infected!!!! The list is extensive but i can post it if need be. Examples of the files listed are as follows:
 
C:\Documents and Settings\Naiya\Local Settings\Temp\Temporary Internet Files\Content.IE5\KRNJECP5\stub_109_4_0_4_0[1].exe is infected with Adware.TargetSav

 

C:\Documents and Settings\Naiya\Local Settings\Temp\EACDownload\defscan_install.exe is infected with Trojan Horse

 
Can my sickly computer be saved or should i strip the harddrive, or should i just get a whole new CPU :(
 
Below is my HJT Log
 
Logfile of HijackThis v1.99.1
Scan saved at 8:56:41 PM, on 4/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\TmFpeWE\command.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\System32\windir32.exe
C:\WINDOWS\System32\wininit32.exe
C:\foobar.exe
C:\WINDOWS\Servces32.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\windows\system32\rrdsregp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\igps.exe
C:\windows\win333\ntlm.exe
C:\WINDOWS\System32\pgws.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\windir32.exe
C:\PROGRA~1\COMMON~1\zmzf\zmzfm.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\System32\SKS~1\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Windows\AutoIt3.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\InetGet2\SSK3_B5.exe
C:\WINDOWS\SYSTEM32\??rss.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\djelpx.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\PROGRA~1\Network\ipnetwork.exe
C:\WINDOWS\System32\rwinssag.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINDOWS\izonlelok.exe
C:\WINDOWS\izonlelok.exe
C:\Documents and Settings\Naiya\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {A50CC8D7-2E3E-56E9-1046-5A50DC2362C7} - C:\WINDOWS\System32\jxsw.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [dhalauq] c:\windows\system32\gaqsjli.exe
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [Microsoft Update 64 BIT] wininit32.exe
O4 - HKLM\..\Run: [filit] C:\foobar.exe
O4 - HKLM\..\Run: [Windows Services] C:\WINDOWS\Servces32.exe
O4 - HKLM\..\Run: [MSN 2] stkst.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [{D9-9F-FD-DC-ZN}] C:\windows\system32\rrdsregp.exe FI003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\rwinssag.exe FI003
O4 - HKLM\..\Run: [0wso0x0s.dll] RUNDLL32.EXE 0wso0x0s.dll,b 3949140
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
O4 - HKLM\..\Run: [Windows+Services] c:\windows\win333\ntlm.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [wafuac] C:\WINDOWS\System32\djelpx.exe r
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] wininit32.exe
O4 - HKLM\..\RunServices: [MSN 2] stkst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [MSN 2] stkst.exe
O4 - HKCU\..\Run: [zmzf] C:\PROGRA~1\COMMON~1\zmzf\zmzfm.exe
O4 - HKCU\..\Run: [Download] "C:\DOCUME~1\Naiya\LOCALS~1\Temp\BellSouth\SSGet.exe" 120 " http://download.fastaccess.com/download/HCUpgrade3.1.exe" "HCUpgrade3.1.exe" Log
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\System32\SKS~1\wuauclt.exe" -vt yazr
O4 - HKCU\..\Run: [Fhgym] C:\WINDOWS\System32\??rss.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\rwinssag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://jaguar2.spelman.edu/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://jaguar2.spelman.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34EC17F-04AD-4273-8E85-C92B4241A0D8}: NameServer = 205.188.146.145
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - AppInit_DLLs: mad.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFpeWE\command.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

3 Apprentice

 • 

15.2K Posts

April 16th, 2006 12:00

naiya,
 
i see you've posted elsewhere... i've responded to you before... and i believe you indicated problems with more than one machine.   Since BugBatter already helped you with a HJT, i hope this is the " other" machine.
 
***********************
 
first question:   the symantec scan you ran, that found the 344 problems.... was that a scanner ONLY???  
or did it allow you an option to quarantine [or delete] the infected files??
 
second question:  in terms of anti-virus.... unless i'm overlooking something, it appears you're still running AVG version 6.   that's an old program, and i don't know that it's currently being supported anymore.    if it was a paid version, i'm not sure what to suggest....   but if it's the free version, you should upgrade to avg 7 FREE from here:
then, click on the avg71free...  link near the bottom of the page
 
download the new AVG 7, uninstall the old one (6) [if it was the free version], install the new one (7), go online to get the latest updates (virus definition files), run a COMPLETE SCAN, and allow it to quarantine anything it finds.
 
 
***********************
 
Among other things, you have a NAIL/epolvy infection... I'm going to try to help you to remove this first.   AFTER we remove NAIL, either I, or someone else will then consider your remaining problems.
 
This fix involves using Ad-Aware, and its VX2-cleaner.   It is critical that you use the current versions as indicated below... if you use an older/obsolete version, the fix will not work.
 
If you don't already have it, download Ad-Aware SE Personal 1.06 from http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html
[Note:  If you have an older "build" of Ad-Aware SE --- or even worse, if you're still using Ad-Aware 6 --- you must upgrade to this version/build,  SE 1.06 ]
 
Install the Ad-Aware program (following any indicated directions).   [As part of the installation, it will check to see if you already have an older version of Ad-Aware installed, and if one is found, it will ask ("advise" ) you to allow the older one to be removed...  so if asked, please allow it.]
 
Open/start Ad-Aware SE.     Click on Check for Updates Now, and Connect .  if found, follow the directions to download/install the latest reference file, till you FINISH.
 
After updating, from the STATUS screen, click on START.  
then make sure you have a RED X in front of "Search for negligible risk entries
(if you see a GREEN CHECK, then CLICK on it, to change it to the RED X )
then hit NEXT to perform a S mart Scan.  Allow it to remove any problems founds.
 
Close-down Ad-Aware.  
 
then download the VX2-cleaner add-on by clicking-on the link near the bottom of
This will download the file  vx2cleaner_inst.exe ; click on it, and follow the directions to install the VX2-cleaner.
 
Start Ad-Aware SE again.  Click on the Add-Ons button.   Click on the VX2-Cleaner.  Click on Run Tool, and then click OK .    If it finds any VX2 problems, follow all the directions to CLEAN things.   (I believe this will include a reboot, and directions to run another smart scan.   Follow all indicated directions [i.e., various/multiple scans] until it tells you you're clean of VX2.
 
This should have removed all traces of NAIL/Aurora/epolvy/SvcProc.  Please generate and post a new HiJackThis log,  REPLYing to this same thread.

Message Edited by ky331 on 04-16-200609:37 AM

3 Apprentice

 • 

15.2K Posts

April 16th, 2006 18:00

sometimes an anti-virus [or anti-spyware] program needs to restart the system, to begin a spyware scan before all the "garbage" has a chance to load itself into the system.  
 
when you say  " it wouldnt allow [you] to type in [your] password", was it trying to do something else [like automatically continue/run a virus scan]??  or did the system just "freeze" on you?   if it froze, and required a manual shut down, that doesn't sound right/good.
 
i want to call-in someone else, to get their opinion on this....

12 Posts

April 16th, 2006 18:00

I ran the symantec per the instructions in the thread that is titled "Read this Before Posting" to scan the desktop I referred to in a previous posting. It scanned everything than told me to click on a link to get help removing the files but I was confused about what to do next at that stage. According to the instructions you have left me, I have downloaded the AVG 7 and removed the 6 version (yes it was free). It did a scan and found over a 150 infected files and requested that I shut down the computer to begin the "healing" process. Various different messages popped up as the computer was shutting down and Im assuming they have to do with the infected files. When the computer restarted it wouldnt allow me to type in my passwrod to log on and thus i had to manually shut the computer off again. I have left it off for now as I had to leave, but I will attempt to follow the rest of the instructions you gave me once i return to my home computer and update you on the progress then. Thank you for your help thus far!

12 Posts

April 16th, 2006 22:00

In the past, If i have shut the computer down and restarted it, it wouldnt let me type in my password to log on and that was what led me to believe the computer had serious problems to begin with. When this would happen in the past I would have to restart the computer numerous times before I was able to type in my passwrd (at the time i thought the cpu wasnt reading the keyboard, but now its obvious now that it probaly has to do with all the infections). In this particular instance, I wasnt able to type in my password after AVG restarted the computer while it was doing its scanning/cleaning. Thus, I manually shut the computer down and just decided to work with it once I returned. This desktop has some serious problems and depending on how well it responds to the instructions you previously gave me, I may have to give up on it and buy a new one or send it to a professional. But once again thank you for your patience and your assistance and as I stated before I will attempt to do everything i can to salvage it.

Message Edited by Naiya06 on 04-16-200606:40 PM

12 Posts

April 17th, 2006 05:00

Ok, i follwed the instructions you gave me and I have run several scans using both the AVG and the AdAware. There are still some pop-ups, but not nearly as many as before. Please let me know what the next step is. Below is a recent HJT log. Thanks!!
 
 
Logfile of HijackThis v1.99.1
Scan saved at 2:37:55 AM, on 4/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Network\ipnetwork.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\??rss.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Naiya\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {A50CC8D7-2E3E-56E9-1046-5A50DC2362C7} - C:\WINDOWS\System32\jxsw.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [dhalauq] c:\windows\system32\gaqsjli.exe
O4 - HKLM\..\Run: [{D9-9F-FD-DC-ZN}] c:\windows\system32\dwdsregt.exe FI003
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
O4 - HKLM\..\Run: [Windows+Services] c:\windows\win333\ntlm.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Fhgym] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [zmzf] C:\PROGRA~1\COMMON~1\zmzf\zmzfm.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rrdsregp.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://jaguar2.spelman.edu/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://jaguar2.spelman.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34EC17F-04AD-4273-8E85-C92B4241A0D8}: NameServer = 205.188.146.145
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - AppInit_DLLs: mad.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

3 Apprentice

 • 

15.2K Posts

April 17th, 2006 11:00

well, it looks like ad-Aware+VX2 successfully removed NAIL/epolovy/SvcProc ...
which was the goal of that part of the fix.   so we're making progress, albeit slowly....
 
now that you've run "several" scans with AVG and ad-aware... are both now reporting that you're "clean"?  
[aside from any items that they may have successfully quarantined?]   or is either one still reporting problems?
 
let's continue with your fix:
 

First, you should move the HJT program from your Desktop:

C:\Documents and Settings\Naiya\Desktop\HijackThis.exe

into a separate folder of its own... We recommend using folder C:\HJT , so that it will then appear in your log under running processes as C:\HJT\HijackThis.exe

[if your prefer, it's okay to have an HJT folder on your desktop, move the HJT program into this folder, and run it from there].

This is important because HJT generates log files, and backup files, in the folder from which it is run. So at present, all these logs/backups will just "clutter-up" your Desktop. And if you simply delete them from there, you'll lose the important backup information, which may be needed in case you have to "undo" [restore] some of the things you "FIX" incorrectly.

*********************************

after you move HJT, as i've just instructed:

close your internet browser

Run HJT. click on DO A SYSTEM SCAN ONLY

Place a check-mark in the box in front of each of the following lines:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=


R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=


R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=


R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

 

O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll

O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe




Click on FIX CHECKED. Close HJT. Reboot.

see if this reduced the popups any... specifically, those which were marked "Best Offers".

then generate a brand-new HJT log, REPLY to this thread, and post it here.

********************************

you still have significant problems [Zeno, and several others] but most, if not all, can be "conquered"... with some patience.   However, at this point, i personally have taken your analysis about as far as i feel comfortable, so i'm gonna have someone else [most likely RKinner] take over.

good luck.

 
 

3 Apprentice

 • 

15.2K Posts

April 17th, 2006 11:00

you wrote  " In this particular instance, I wasnt able to type in my password after AVG restarted the computer while it was doing its scanning/cleaning."
 
i now take that to mean the computer booted up, and AVG was scanning/cleaning --- automatically --- and that, while scanning/cleaning, it did not offer you a "login" option.    is this correct?
 
If so, then this was completely normal.    the point being, that AVG was trying to do its job, clean your system, before any of the "garbage" had a chance to get loaded.   and in such a case, as long as it was running, it needs to continue/complete its scan without interruption.
 
in any event, i see that you eventually were able to complete both an AVG and an Ad-aware scan, so i take that to mean your computer is still booting up, and allowing you to login.    I will look at your HJT log in a few minutes.
 
 
 
 
 
 

5.9K Posts

April 17th, 2006 23:00

Get the latest version of ccleaner from:
 
from http://www.ccleaner.com.
 
(the actual download is at: http://www.filehippo.com/download_ccleaner/
click on on Download Latest Version)
 
Install it.  Don't let it clean anything yet. 
Download the killbox:
Unzip it to your desktop but don't run it.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check  then Fix Checked the following:
 
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {A50CC8D7-2E3E-56E9-1046-5A50DC2362C7} - C:\WINDOWS\System32\jxsw.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [dhalauq] c:\windows\system32\gaqsjli.exe
O4 - HKLM\..\Run: [{D9-9F-FD-DC-ZN}] c:\windows\system32\dwdsregt.exe FI003
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
O4 - HKLM\..\Run: [Windows+Services] c:\windows\win333\ntlm.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Fhgym] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [zmzf] C:\PROGRA~1\COMMON~1\zmzf\zmzfm.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rrdsregp.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - AppInit_DLLs: mad.dll

 
Run ccleaner.exe,
 
Select Options then Advanced and uncheck the box in front of:
Only Delete file in Windows Temp folders older than 48 hours.
Now select Cleaner
Under Cleaner Settings, Windows
 uncheck everything on the first page
except:
 under Internet Explorer
  - Temporary Internet Files
 under System
 - Empty Recycle Bin
 - Temporary Files
Under Cleaner Settings, Applications uncheck everything
except:
 Under Internet
 - Sun Java
Run Cleaner.
 
This should clean out all of the temp files including those of your java program
(where recently we are finding a lot of garbage.  You really should be running
the latest version of java and uninstall all old versions).  The reason I have
you uncheck most of the options is that I have had problems with it  deleting
too much so I want to limit it to things where I think malware might be hiding.
 

Run killbox.  Open Options and check Remove Directories
Where it says Full Path of File to Delete you need to type or copy (Hightlight
and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):
 
C:\Program Files\TBONAS
 
Then check the Delete on Reboot box and the End Explorer Shell while killing file box
then the red button. 
It will say:  File Will Be Removed On Reboot, Do you want to reboot Now.
Tell it NO.  (If it can't find it that's OK just go on to the next one)
The desktop will vanish.  This is normal.
 
Repeat for:
 
c:\windows\win333
 C:\Program Files\Network
C:\Program Files\Common Files\VCClient
 C:\PROGRA~1\COMMON~1\zmzf
C:\Program Files\Ebates_MoeMoneyMaker

Let it reboot after the last one.  If you get a message about an external
process then Killbox is not going to work.  Let me know and we will try something else.

Reboot into regular mode run a new HJT log and post it as a reply.
 
Ron
 

12 Posts

April 18th, 2006 03:00

Ok, first question, how do i move HJT into another folder? I tried to click and drag the icon and it just created a shortcut. 
 
Next issue, I tried to install the cleaner and it gets to the point where it says : Execute:'C:\DOCUME~1\Naiya\LOCALS~1\Temp\ytb2.exe"/s
 
and then it freezes and i have to use control-atl-delete to end the program. 
 
I ran an HJT scan and fixed the files according to ky331 instructions so now i am trying to follow the instructions per Ron.  Thank you both for helping me!!!

3 Apprentice

 • 

15.2K Posts

April 18th, 2006 11:00

assuming you've already created another folder for HJT, then you can RIGHT-click on the HJT program, COPY it, place your cursor into the new folder,  RIGHT-click, and PASTE it there.
 
***************************
 
if you're having trouble creating the new folder, you can try this instead:
 
Download a self-extracting copy of the latest version of HJT (HiJackThis) (version 1.99.1) from
Save it to your Desktop.
Double-click on the file    hijackthis_sfx.exe    file, and allow it to self-extract [by clicking on UnZip] into the suggested/default folder,
C:\Program Files\HijackThis
 
Use Windows Explorer to navigate your way into this folder, and then double click on HiJackThis. exe

Click on  Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad:  EDIT/SelectAll, EDIT/Copy

REPLY to this thread, and  PASTE the results here

Message Edited by ky331 on 04-18-200608:38 AM

5.9K Posts

April 18th, 2006 12:00

I think that's a yahoo tool bar install program.  Try running Ccleaner in Safe Mode:

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop.

 

Ron

12 Posts

April 19th, 2006 05:00

Okey Dokey Ron,
I ran the computer in safe mode and deleted most of the files you told me to from the HJT scan. The file  "O20 - AppInit_DLLs: mad.dll " would not delete and I was given an error message. I also could not get the ccleaner to install as it keeps freezing at the same point I previously told you about.  I ran the killbox and it didnt give me an error message so i assume it did what it was supposed to do. I ran my AVG and it found 3 infected files, and I think it was able to quarentine 2 of the 3.  I believe the last one was said to be embedded in the archive.  Ummmm, I think that is all I have to report. Below is my HJT log.  Please let me know what else I may need to do. You have been extremely helpful. THANKS :)  !!!!
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 2:36:22 AM, on 4/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://jaguar2.spelman.edu/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://jaguar2.spelman.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34EC17F-04AD-4273-8E85-C92B4241A0D8}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: mad.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

5.9K Posts

April 19th, 2006 13:00

OK we are getting there.  Just the one line left:

 

O20 - AppInit_DLLs: mad.dll

We are going to try unlocker on it.

 

http://ccollomb.free.fr/unlocker/

 

Get it and install it.

Then Right click on Start and select Explore.  Then in the new window find the Views icon (bottom right of the two toolbars at the top.  Looks like a little window with a down arrow.  Press it and select Details.  Then select Tools, Folder Options, check Use Windows Classic Folders, Apply then View, check Show Hidden Files and Folders, and uncheck the two that start with Hide. (ignore the warning) then say Apply.  Then press Like Current Folder.  OK.

Now locate the Windows\System32 folder (My Computer=>  Local Disk C: => Windows =>System32 and click once on it.  In the right pane will be a stupid message from Windows saying you don't need to see these files but if you insist click here (or words to that effect).  When you click the link an alphabetical list of folders and files should appear.  Scroll down until you find mad.dll and rightclick on it and select Unlocker then use unlocker to unlock and delete the file.

If it appears to have worked, run a new HJT scan only and check the entry if it still shows and Fix Checked  then reboot and make a new HJT log and post it.

Ron

Message Edited by RKinner on 04-19-200609:58 AM

10 Elder

 • 

43.4K Posts

October 2nd, 2019 16:00

Last 2 posts are from a spammer...

No Events found!

Top