Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

englisheeyore

116 Posts

9888

December 14th, 2006 01:00

DSL connection problems, plz help! (HiJack This Log)

Well I thought we (Bugbatter and I) had got rid of whatever was on my computer a month ago but apparently did not. My McAfee subscription (was only 30 days apparently) ran out last night and a few minutes later started acting up the way it did last time. It disables your DSL connection and only intermittently lets you use the internet. I am actually writing this on Word so that in the minute it gives me to get on the net I can hopefully post this to you in time before it goes again!

I get a few random ad pop-ups but mostly I am getting a windows prompt that is labeled “RUNDLL” and says:

 

 

Error loading

The specified module could not be found.

(Then a prompt ‘ok’ button to close it)

 

The “

The only other pop-ups I notice are black rectangular dos prompt type boxes that pop up for a split second then disappear but doesn’t look like anything is written on it – as fast as it comes up it’s gone.

I updated and ran AVG Anti-Spyware and it found 164 medium threats and 3 high threats: Backdoor.Small.is, Backdoor.Agent.aif, and Trojan.BHO.d – it was able to quarantine them all. After restarting I scanned again and it shows it’s all clean but I’m having the problems like I said before.

I haven’t been able to check for updates for HiJack This just yet (can’t get online right now) but I ran my v1.99.1 version of HiJack This and here is what I’ve found:

Logfile of HijackThis v1.99.1

Scan saved at 1:15:58 AM, on 12/13/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\WINDOWS\weRecv.exe

C:\Program Files\SiteAdvisor\4608\SAService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\SiteAdvisor\4608\SiteAdv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\prevx.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\WINDOWS\System32\wininet.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PrevX] C:\WINDOWS\System32\prevx.exe

O4 - HKCU\..\Run: [Yahoo! Pager] 1

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) -

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll

O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: Netmeeting For Windows (Netmeeting For Microsoft Windows) - Unknown owner - C:\WINDOWS\weRecv.exe

O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe

After we get this situated I would like to know what I need to do to secure my computer from viruses (I had McAfee but the subscription just ran out). I went to the McAfee website to subscribe to it for a year but there were several options and it was a bit confusing. One offered $49.99 for 8-in-1 protection, another $39.99 for a year 3-in-1 I believe, and $39.99 for another option. I always thought you just bought it as a suite together as one but now that I see there’s more than one thing to install I’m confused as to what I really need from McAfee??

Cheers.

EE

P.S. I’ll try to check the page as soon as possible (net willing)!

RKinner

2 Intern

 • 

5.9K Posts

December 14th, 2006 16:00

Boot into Safe Mode without Networking:
 
reboot and when you see the maker's logo start tapping the F8 key until it gives you the Safe Mode menu.  Choose the top option and login as your usual login.
 
Run HJT (scan only) and check the following then Fixed Checked.
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [PrevX] C:\WINDOWS\System32\prevx.exe

O4 - HKCU\..\Run: [Yahoo! Pager] 1

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) -

 

O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll

 

O23 - Service: Netmeeting For Windows (Netmeeting For Microsoft Windows) - Unknown owner - C:\WINDOWS\weRecv.exe

 

Two of the above (the first two O4's) may or may not be bad.  The program names are good names but either the location looks wrong or other files that normally load at the same time are not present.  In any case it won't hurt anything to remove them.
 
Before you reboot into nomal mode let's get rid of

C:\WINDOWS\System32\wininet.exe

Since Windows likes to hide files in the System32 folder we need to tell it first to let us see it:

To enable the viewing of Hidden files follow these steps:

  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon.
  3. Select the Tools menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button.
  10. Now your computer is configured to show all hidden files.

While still in Explorer locate the Windows folder in the left pane.  Click on the plus in front of it and it will show you the subfolders.  Find System32 and click on it.  In the right pane see if you can find wininet.exe.  To make your life easier go up to the toolbar and look for the little rightmost icon on the bottom toolbar.  It looks like a little window and has a down arrow next to it.  When you run the cursor over it it will say Views.  Open it.  Click on Details and it will change the right pane from a bunch of icons to an alphabetical list of files.  When you find wininet.exe (not wininet.dll which is a good file - hopefully) note the time and date under Modified then delete the file.  Also look for and delete Sysd.dll and Exelib.dll files.  If you click on Modified it will sort things by the date and time.  Look for files with  the same time and date as the wininet.exe and delete (or rename) any that are within 5 minutes either way.

 

Reboot, run a new HJT scan and post it as a reply.  Let me know if things are any better and if you were able to find the two dll files. 

If this is the wininet.exe I think it is then it is a password stealing worm built from a kit (a virus generating program) so once we get this fixed check your credit cards and bank statements and email accounts and anything else you may have  opened via the PC.

 

Ron

 


 

Bugbatter

3 Apprentice

 • 

20.5K Posts

December 14th, 2006 17:00

Hi englisheeyore,
Your log is showing a few changes since we worked on it a month ago.
I've locked your thread at CastleCops due to lack of feedback from you.
Please continue working with Ron here. Thank you, Ron. :)

englisheeyore

116 Posts

December 17th, 2006 18:00

Thanks so much for both of your help! 
 
BugBatter - Thanks, I wasn't sure if I should post back there for start a new thread since it had been about a month since then.
 
Ron - I got half of the message before my computer froze up so i went ahead and tried removing in safe mode (w/o networking) all the files you suggested using HiJack This, and all were deleted EXCEPT:

O23 - Service: Netmeeting For Windows (Netmeeting For Microsoft Windows) - Unknown owner - C:\WINDOWS\weRecv.exe

This file keeps showing up when I scan it (using HiJack This) - I can't seem to remove it. After removing the other files (but keeping the 023 file) I tried rebooting but it won't go to desktop, instead it goes to a blue screen with a STOP message and I have to restart manually. Upon next start up it says the computer was improperly shut down would I like to revert to the last time the system was stable so I chose that option and it gets me back to desktop.

I did not try removing the C:\WINDOWS\System32\wininet.exe so I will go home and try doing that as well and see if it works. I am on someone else's computer at the moment because my computer has decided not to let me on the net at all now. I recently ordered a new computer for myself so I should have reliable access to the internet later this week in order to reply faster.

(The new computer has Norton Antivirus 90-day trial so I'm looking for McAfee Anti-Virus Suite lately to safeguard my new computer!).

 

EE

 

RKinner

2 Intern

 • 

5.9K Posts

December 18th, 2006 00:00

Start, Run, services.msc, OK and then find the
Netmeeting For Windows (Netmeeting For Microsoft Windows) service and doubleclick on it.  Press the Stop button and see if it will stop.  In any case try changing the Startup Type from Automatic to Disabled then Apply.
 
Reboot and see if it still shows up.
 
Start, Run, sigverif, OK and then press Start when the new program comes up.  Let it finish (takes a few minutes) and then it should come back and give you a list of files it doesn't like.  Do you see wininet.dll there?  If not what .exe, .sys, .dll files do you see that have recent dates (since about the time the problem started.)
 
Ron

Message Edited by RKinner on 12-17-200608:49 PM

englisheeyore

116 Posts

December 18th, 2006 06:00

Here is my Log:
 
Logfile of HijackThis v1.99.1
Scan saved at 2:11:27 AM, on 12/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=52272
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\systn2.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: Windows Remote Access - Unknown owner - C:\WINDOWS\wbRecv.exe (file missing)

englisheeyore

116 Posts

December 18th, 2006 06:00

Ran services.msc - did not find Netmeeting For Windows but DID find Netmeeting Remote Desktop Sharing and disabled it. There was not a "Stop" option only a "Start" option so I only disabled it nothing more. Also disabled:
 
Remote Access Auto Connection Manager
Remote Access Connection Manager (said "Started")
Remote Desktop Help Session Manager
Remote Procedure (RPC) (said "Started")
Remote Procedure Call (RPC) Locator
 
so I disabled them as well just in case (their status said "Started" on two of them so I disabled just in case).
 
 
 
Tried deleting wininet.exe and weRecv.exe by hand but they keep reappearing. My AVG Anti-Virus even says these two are in quarantine but they keep showing up in scans.
 
 
 
After running sigverif only found a few questionable files from around the approximate time (I don't know if any are related to the problem or not):
 
[c:\program files\common files\microsoft shared\vgx] vgx.dll    9/18/2006    2:5.x  Signed KB925486-IE6SP1-2006Microsoft Windows Component Publisher
 
browseui.dll   9/4/2006    2:5.1 Signed     KB924496.cat       Microsoft Windows Component Publisher
 
msxm13.dll   9/12/2006   2:5.1 Signed    KB924191.cat       Microsoft Windows Component Publisher
 
shdocvw.dll   9/4/2006    2:5.1 Signed    KB924496.cat      Microsoft Windows Component Publisher
 
 
 
Note: A file by the name of wbRecv.dll has begun to show up in the HiJack This Log and I started to have approx 100 instant IE windows pop up while trying to log into Dell Support site, not to mention I can't log into Yahoo or MSN - I am certain you are correct and it has stolen my passwords. Hadn't had a problem logging in using a password anywhere until today.
 
Thanks.
EE

RKinner

2 Intern

 • 

5.9K Posts

December 18th, 2006 11:00

The services you turned off were all real Microsoft services but the only two that are important are the two Remote Procedure Call (RPC) which should be Automatic and Started and the Remote Procedure Call (RPC) Locator which should be Manual.
 
We are looking at three evil doers in HJT right now.
 
 
O20 - AppInit_DLLs: C:\WINDOWS\System32\systn2.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll (file missing)
O23 - Service: Windows Remote Access - Unknown owner - C:\WINDOWS\wbRecv.exe (file missing)
 
HJT seems to think that two of them are gone and I don't see any of them in the processes list so we may be amking progress.  The O20 is new so something we did may have made it visible.
 
HJT, Misc Tools, Delete a File on Reboot may be able to help us get rid of them depending on how smart they are.  If now we can try Avenger.  Run the Delete on Reboot then point it to
 
C:\WINDOWS\System32\systn2.dll
and Open, it will want to reboot but tell it No and try and repeat for the other files.  Generally this doesn't work because the evil file will notice that we are trying to get rid of it and stop the delete on reboot process.  So if that happens we try Avenger:
 
1. Please download The Avenger from 
http://swandog46.geekstogo.com/avenger.zip
to your Desktop.
Rightclick on Avenger.zip and select Extract All
Extract avenger.exe to your desktop
2. Copy all the text contained between the stars (do not include the stars) below to your Clipboard by highlighting it and pressing (Ctrl+C):
*************************************************************
Files to Delete:
C:\WINDOWS\System32\systn2.dll
C:\WINDOWS\System32\svshost.dll
C:\WINDOWS\wbRecv.exe
C:\WINDOWS\wbRecv.dll
C:\WINDOWS\System32\wininet.exe
 

*****************************************************************

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log
 
 
If Avenger can't get it then we try unlocker
 
Download and install unlocker.
 
 
Using Explorer (rightclick on Start and select Explore find each of the files and then rightclick on each and select Unlocker and let it unlock and delete the file for you.
Reboot and make a new HJT log and post it as a reply.
 
Ron
 
 
 
 
 
 

englisheeyore

116 Posts

December 19th, 2006 05:00

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jryknmbj

*******************

Script file located at: \??\C:\Program Files\votlvasq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\System32\systn2.dll not found!
Deletion of file C:\WINDOWS\System32\systn2.dll failed!

Could not process line:
C:\WINDOWS\System32\systn2.dll
Status: 0xc0000034



File C:\WINDOWS\System32\svshost.dll not found!
Deletion of file C:\WINDOWS\System32\svshost.dll failed!

Could not process line:
C:\WINDOWS\System32\svshost.dll
Status: 0xc0000034



File C:\WINDOWS\wbRecv.exe not found!
Deletion of file C:\WINDOWS\wbRecv.exe failed!

Could not process line:
C:\WINDOWS\wbRecv.exe
Status: 0xc0000034



File C:\WINDOWS\wbRecv.dll not found!
Deletion of file C:\WINDOWS\wbRecv.dll failed!

Could not process line:
C:\WINDOWS\wbRecv.dll
Status: 0xc0000034



File C:\WINDOWS\System32\wininet.exe not found!
Deletion of file C:\WINDOWS\System32\wininet.exe failed!

Could not process line:
C:\WINDOWS\System32\wininet.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

englisheeyore

116 Posts

December 19th, 2006 06:00

I turned the real Microsoft services back on, downloaded Avenger and Unlocker, but wasn't able to find the files to try to delete them using any of the 3 methods. I double checked that all files are being shown. HJT is seeing them but for some reason they aren't showing themselves to me anymore - however, I know it's still there. Here is a new log anyway:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:18 AM, on 12/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\System32\msasvc.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\dmrproc.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=52272
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\hpaobxnf.dll",setvm
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\systn2.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINDOWS\dmrproc.exe
O23 - Service: Windows Remote Access - Unknown owner - C:\WINDOWS\wbRecv.exe (file missing)

RKinner

2 Intern

 • 

5.9K Posts

December 19th, 2006 11:00

This beast is changing.  We have a few more lines (in bold) :
 
O20 - AppInit_DLLs: C:\WINDOWS\System32\systn2.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\ svshost.dll (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINDOWS\dmrproc.exe
O23 - Service: Windows Remote Access - Unknown owner - C:\WINDOWS\ wbRecv.exe (file missing)
 
Let's see if they are visible in Command Prompt.  Reboot into Safe Mode and select Command Prompt.  This will take you to a black cmd screen after you log in.  Type:
 
cd \windows\system32
 
(SPACE after cd.  Prompt should change to C:\windows\system32)
 
attrib -r -s -h dmrproc.exe
del /f dmrproc.exe
mkdir dmrproc.exe
 
(Same thing with SPACE where each space should go:
attrib SPACE -r SPACE -s SPACE -h SPACE dmrproc.exe
del SPACE /f SPACE dmrproc.exe
mkdir SPACE dmrproc.exe
What this does is remove the  read only, system and hidden flags to make the file easier to see.  Then we try to delete it.  Then we try to make a directory with the same name.  This keeps the program from putting it back since windows won't allow a directory and a file with the same name in the same place.  Repeat the procedure for each of the files in red above.  The two that HJT says are missing may really not be there but try them anyway.  Then reboot)
 
 
 
I hate O20 AppInit_DLLs infections.  Sometimes the easiest way to get rid of them is to use their own uninstall program.  Let's see if the installed program list gives us a clue.  Run HJT, Misc Tools then, Add/Remove Programs Manager, then Save List, that will bring up a notepad copy of the list.  Edit, Select All then Edit Copy then move to a reply and Edit, Paste. 
 
Lets see if prevx1 can get it.  They claim they can and they claim this download is free.  No doubt they will want to sell you something somewhere in the process but give it a shot.
 
 
If that doesn't help (or you have already tried it).  The next step will be Ice Sword.  I don't have the procedure here at work so will have to wait until I get home.
 
Ron
 
 
 

englisheeyore

116 Posts

December 20th, 2006 07:00

Ron -

Ran the Command Prompt for the 4 different files:
-For svshost.dll, wbRecv.exe, and dmrproc.exe it told me FILE NOT FOUND/COULD NOT FIND.
-For msasvc.exe everything worked (it found it and deleted it supposedly)

Ran HJT, Misc Tools, Add/Remove Programs Manager then Save List but nothing happened. It closed HJT without notepad opening up.

Downloaded Prevx1 (30 day free trial), ran it, and it started blocking files like crazy. It has 15 files now in "jail" and a few of them are in there 2 or 3 times (same file). Looks like it caught dmrproc.exe.

Here is a new HJT Log, looks like we have a bit more mumbo jumbo to work with in the log and a few of our old friends (I use the term loosely) are back:

Logfile of HijackThis v1.99.1
Scan saved at 3:00:39 AM, on 12/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=52272
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Helper Class - {00D13CE9-1879-41bd-B8A3-EA3CB1BD01BC} - C:\WINDOWS\System32\helper1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: (no name) - {3A5CA915-D1A7-4881-B95F-B024B4674C9D} - (no file)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\System32\gibhcxwm.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\hpaobxnf.dll",setvm
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\systn2.dll
O20 - Winlogon Notify: awtqppn - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\
O20 - Winlogon Notify: rpcc - C:\WINDOWS\
O20 - Winlogon Notify: szr_dll - szr_dll.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: Windows Remote Access - Unknown owner - C:\WINDOWS\wbRecv.exe (file missing)

RKinner

2 Intern

 • 

5.9K Posts

December 20th, 2006 09:00

That was a disappointment.  Part of it was my fault tho.  I forgot to make the critical file  red.  systn2.dll
 
 
O2 - BHO: Helper Class - {00D13CE9-1879-41bd-B8A3-EA3CB1BD01BC} - C:\WINDOWS\System32\helper1.dll

O2 - BHO: (no name) - {3A5CA915-D1A7-4881-B95F-B024B4674C9D} - (no file)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\System32\gibhcxwm.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\hpaobxnf.dll",setvm


O20 - AppInit_DLLs: C:\WINDOWS\System32\systn2.dll
O20 - Winlogon Notify: awtqppn - C:\WINDOWS\

O20 - Winlogon Notify: pmnnn - C:\WINDOWS\
O20 - Winlogon Notify: rpcc - C:\WINDOWS\
O20 - Winlogon Notify: szr_dll - szr_dll.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\System32\svshost.dll

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner -
O23 - Service: Windows Remote Access - Unknown owner - C:\WINDOWS\wbRecv.exe (file missing)
 
Boot into Safe Mode, command prompt again and repeat the process for:
systn2.dll
svshost.dll
hpaobxnf.dll
gibhcxwm.dll
szr_dll.dll
 
except before you del /f the file try to unregister it first like this:
 
attrib -r -s -h systn2.dll
regsvr32 /u systn2.dll
del /f systn2.dll
mkdir systn2.dll
 
Also one of the files lived in C:\windows so we need to look there too
 
cd \windows
 
(Prompt changes to C:\windows)
 
then repeat the attrib,del and mkdir commands for
 
wbRecv.exe
 
(Only use the regsvr32 coomand with .dlls)
 
Reboot and boot into Safe Mode without networking (top option).
 
Run HJT and check all of the ones Iisted above.  Then Fix Checked.
 
Ron
 
I'll send you the ice sword writeup when I get to work.  Out of time this morning.

Message Edited by RKinner on 12-20-200607:02 AM

RKinner

2 Intern

 • 

5.9K Posts

December 20th, 2006 11:00

You may have better luck with larger downloads if you boot into Safe Mode with Networking.
 
This is the first time I've used this in a while so if you have any problems with it tell me.
 
 
Get the Ice Sword program from:
 
 
IE will probably block the download and tell you it did so in a line at the top.  Click on the line and it will let you tell it to download the file.  Save it to your desktop.
 
You won't be able to unpack it yet.
 
We need to get 7-zip for that.
 
 
Click on the Download link just below where it says:
Download 7-Zip 4.42 (2006-05-14) for Windows:
 
or just click on this link.
 
 
IE will probably block the download and tell you it did so in a line at the top.  Click on the line and it will let you tell it to download the file.  Save it to your desktop.
 
Run the 7z442.exe file, Install, then put it on your desktop by Browse then point to the desktop.   It should create a folder called 7-zip.  Open the folder and run 7ZFM.exe.  Then when 7-zip opens, doubleclick on  Computer in the bottom pane. Then doubleclick on C: then on Documents a.(Documents and Settings is the full name but you won't see all of it unless you increase the column width)  then on your loginname then on Desktop.  You should now see the Icesword1.18.rar  Click once on it then on the big minus at the top (Extract) .  It will want to know where to put it.  Put it on the desktop.
 
Now close 7-zip, boot into Safe Mode and open the icesword1.18 folder on your desktop.  You will find another folder inside.  Open it too.  Now doubleclick on IceSword.exe.  It should open with a blank pane and a column of icons on the left.
 
Click on the first icon in the left column of icons and look in the right pane.  See if you find any of our known bad guys.  If you find one, highlight it and click on the red X at the top of the window.  Also look for any lines in red.  These are hidden files.  Sometimes these are good guys from zone alarm or an antivirus but often they are evildoers.  Write down their names and tell me.  You can also locate the file with Start, Search (Hidden and System files) or rightclick on Start and use Explore then rightclick on the file and check its properties.  If it doesn't say it's from a well known company then go back to IceSword and red x it too.
 
Repeat for each Icon in the left panel except the last couple which talk about logs.  Then close IceSword and reopen it and repeat the above one more time.
 
Close IceSword and do a Search (or look for them in Explore) for all of the known evildoers.  Delete any you find.
 
Run a new HJT and check any of the previously identified lines and Fix Checked.  Then run the prevx program and have it scan your system. 
 
Reboot and make a new HJT log and post it as a reply.
 
Ron
 
 

englisheeyore

116 Posts

December 20th, 2006 22:00

Ron - I just got done executing the first half of your two post message and here is where we are. The cmd prompt kept giving me "File not Found" and "Access is denied" messages however I went ahead and did as you said for each file. After rebooting I ran HJT and fixed the said files then ran HJT again. Here is our log:
 
Logfile of HijackThis v1.99.1
Scan saved at 6:26:04 PM, on 12/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=52272
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
 
You would know better than me but it looks like we may have evicted quite a few of our unwanted tenants! (at least I hope). Since Prevx1 is now running on my computer I have been able to use DSL with no problems AND stay online -- luckily this makes it easier to follow through to the next step. I am going to run Prevx1 then continue on to Ice Sword. I will post back asap.
 
EE

RKinner

2 Intern

 • 

5.9K Posts

December 20th, 2006 23:00

Either things are getting much better or we have scared them back into hiding.
 
This is the only one that I still see.
 
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
 
and I don't think it's active.  There's no sign of it in the process list and that was one of the ones that you were able to replace with a directory.
 
You might look in the Services list as before and see if you can see it and set its StartupType to Disabled.
 
Ron
 

Was this post helpful?

View All

No Events found!

Top