Important:
Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
OK, I have done as you suggested. Here is the log on newer version of HJT.
Logfile of HijackThis v1.99.1
Scan saved at 2:49:55 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
My suggestion is so that you can follow all of this, to copy all the text to a wordpad file on your computer.
Please make sure that you can view all hidden files. Instructions on how to do this can be found below: Please download About:Buster from here:
http://downloads.malwareremoval.com/AboutBuster.zip.Once it is downloaded extract it to c:\aboutbuster. You must run this program and get the latest ref file (currently 23) - BUT do not run the fix in the program. We will use that program later in this process.
Next download CWShredder - , install. If you already have CWShredder, please delete it and download the latest version. We will use that program later in this process.
Ok.
Now reboot to safe mode (F8 at boot time).
Run Hijackthis and with all windows closed put a check mark next to the following
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [mscv32.exe] C:\WINDOWS\mscv32.exe O4 - Global Startup: Forget Me Not.lnk = ?
· Immediately begin tapping the F8 key continually · Select the option for Safe Mode using the arrow keys · Press enter on your keyboard to begin Safe Mode · A black screen will appear then Windows will load
Showing Hidden Files and Folders·
Click Start
· Open My Computer · Select the Tools Menu and click Folder Options · Select the View Tab · Under the hidden files and folders heading, Select Show · Uncheck: Hide File extensions for known file types · Uncheck: Hide protected operating system files · Click Yes to Confirm · Click Ok
Use the search option on the start menu (bottom left hand corner of the screen) to search for and find the following files and folders:
Files
C:\WINDOWS\mscv32.exe C:\WINDOWS\ipfo.exe
If found delete the offending file (they may not be there this is fine)
Reverse the above to hide your files and folders
Then run cwshredder, hit 'fix' as opposed to 'scan only'. Let it delete all it finds.
Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe , When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. (It does take a long time to run)
Reboot to normal mode.
Now do a new Hijackthis log and post that with the about:buster log for me to see.
Logfile of HijackThis v1.99.1
Scan saved at 2:07:37 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Bertha2
711 Posts
0
March 8th, 2005 14:00
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT.
CStrain
3 Posts
0
March 8th, 2005 17:00
Logfile of HijackThis v1.99.1
Scan saved at 2:49:55 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\mscv32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\ipfo.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\WILLAR~1.STR\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mscv32.exe] C:\WINDOWS\mscv32.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\WILLAR~1.STR\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\ipfo.exe
Bertha2
711 Posts
0
March 9th, 2005 06:00
Bertha2
711 Posts
0
March 9th, 2005 07:00
My suggestion is so that you can follow all of this, to copy all the text to a wordpad file on your computer.
Please make sure that you can view all hidden files. Instructions on how to do this can be found below:
Please download About:Buster from here: http://downloads.malwareremoval.com/AboutBuster.zip. Once it is downloaded extract it to c:\aboutbuster. You must run this program and get the latest ref file (currently 23) - BUT do not run the fix in the program.
We will use that program later in this process.
Next download CWShredder - , install. If you already have CWShredder, please delete it and download the latest version.
We will use that program later in this process.
Ok.
Now reboot to safe mode (F8 at boot time).
Run Hijackthis and with all windows closed put a check mark next to the following
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [mscv32.exe] C:\WINDOWS\mscv32.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O23 - Service: Remote Procedure Call (RPC) Helper ( 6QÔõ'ª´ÆÐ - Unknown owner - C:\WINDOWS\ipfo.exe
Click "FIX"
Reboot into Safe Mode
Start-Logoff-Restart
· Immediately begin tapping the F8 key continually
· Select the option for Safe Mode using the arrow keys
· Press enter on your keyboard to begin Safe Mode
· A black screen will appear then Windows will load
Showing Hidden Files and Folders·
Click Start
· Open My Computer
· Select the Tools Menu and click Folder Options
· Select the View Tab
· Under the hidden files and folders heading, Select Show · Uncheck: Hide File extensions for known file types
· Uncheck: Hide protected operating system files
· Click Yes to Confirm
· Click Ok
Use the search option on the start menu (bottom left hand corner of the screen) to search for and find the following files and folders:
Files
C:\WINDOWS\mscv32.exe
C:\WINDOWS\ipfo.exe
If found delete the offending file (they may not be there this is fine)
Reverse the above to hide your files and folders
Then run cwshredder, hit 'fix' as opposed to 'scan only'. Let it delete all it finds.
Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe , When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. (It does take a long time to run)
Reboot to normal mode.
Now do a new Hijackthis log and post that with the about:buster log for me to see.
Bertha2
CStrain
3 Posts
0
March 9th, 2005 17:00
Logfile of HijackThis v1.99.1
Scan saved at 2:07:37 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Willard E. STRAIN\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\WILLAR~1.STR\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
Bertha2
711 Posts
0
March 10th, 2005 08:00
Can I have the aboutbuster Log too?
Bertha2