After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.
From "Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=>Control Panel=>Folder Options=>View tab. 2. Select "Show hidden files and folders" 3. Clear the check mark in "Hide protected operating system files"=>Yes to confirm. 4. Click Apply=>OK. 5. Close Control Panel.
C:\WINDOWS\system32\xybeg.bak1 C:\WINDOWS\system32\xybeg.bak2 C:\WINDOWS\system32\xybeg.ini C:\WINDOWS\system32\xybeg.ini2 C:\WINDOWS\system32\xybeg.tmp C:\WINDOWS\system32\xybeg.tmp1 C:\WINDOWS\system32\xybeg.tmp2--->Note: This is the filename from the O2 and O20 entries spelled backwards.
Then, please run this online virus scan: ActiveScan
George, Thanks for the detailed guidance. I think I understand the instructions EXCEPT for the following:
"Open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u twencndc.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing."
George, I don't know how to "open a command prompt" or "unregister" anything. Sorry, you have a real novice here. Perhaps you could provide the specifics. Thanks again for the help.
I'm happy to help you through any steps that you don't understand. Everyone is a novice at one point.:smileyhappy: To open a "command prompt" (which is a holdover from the days of DOS, before Windows):
Click Start=>Run. Type in "cmd" (without the quotes)
A command prompt window will open. It looks like a black box with some lines of text and it. The last line should look something like C.:\folder\ with a flashing cursor next to it. In your case you would type: regsvr32 /u twencndc.dll, then hit Enter. To make sure that the line is entered exactly as shown, it's easier just to highlight the text (in this case regsvr32 /u twencndc.dll), copy it, then use the right-click=>Paste to paste it into the command prompt box, then hit Enter.
You will then be able to delete that file.
Any other questions, don't hesitate to ask. If I don't hear back from you before then, Have a Happy Holiday.
George, below you will find the ActiveScan, Hijack, and Vundo logs requested. These were run after the above protocoles were followed.
I am not certain if the sequence of steps listed above is in the order you intend. The "command prompt" instruction falls within the middle of the HiJackThis sequence. I could not open the command prompt until after I had scanned, checked the listed files, and closed the program. Once closed, the next instruction directs a reboot and then advises to "continue with instructions below. " But the next instruction is to reboot again in the "safe mode".
The activity within the "command prompt" instruction was also not clear to me. Once there, I was only able to "unregister" the twencndc.dll file. Was there more to be done with this command prompt box? Was this sequence to be run in the "safe mode"?
Thanks again for your time and attention to my problem. Happy holiday. Cheers HDjr
Active Scan
Incident Status Location
Adware:adware/comet Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\Starware Spyware:spyware/virtumonde Not disinfected Windows Registry Adware:Adware/FlashTrack Not disinfected C:\Program Files\Common Files\Java\flencpy.cfg Adware:Adware/FlashTrack Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5A2D2F-27A4-4DCD-93CC-9206DC\8F0655C3-6772-43A0-B0E8-3EE044
Vundo Log
VundoFix V2.15 by Atri --------------------------------------------------------------------------------------
Listing files contained in the vundofix folder. --------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1 Scan saved at 1:51:41 PM, on 12/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
George, the requested log follows. this was run after "fixing" the two files noted above. Before deleting these files, Microsoft AnitSpyware would still find a Trogan Name Shifter on scan.
Thanks again for your gracious assistance. Happy Holiday HDjr:smileyhappy:
HiJackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 3:50:55 PM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Congratulations!Your log looks clean - good work! Reboot your computer, and try using different programs and make sure everything is running ok. If you're still experiencing problems, post back a description and wait for advice before continuing with the cleanup. Download, install and run
Cleanup! from
Steven Gould, then:
1. Click "
Cleanup!"
(
wait for the program to finish scanning your system, and selecting files to be removed.)
2. Exit the program and reboot the computer, if necessary.
For more information about using
Cleanup! see
here.
If everything is running ok, let's do the final cleanup... 1. Run "
Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded
MicroWorld AV (
MWAV), run it again - but don't scan, just click "
Clear Log" and exit the program.
Please skip this step 3. Go to
www.trendmicro.com and click "
Free Online Scan", then "
Scan now, it's free!". Follow on-screen prompts. (You can substitute
Panda Active Scan if you like.)
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
Spywareblaster=> SpywareBlaster will prevent spyware from being installed.
Spywareguard=> SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware=> If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware
To protect yourself further:
IE/Spyad=> IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file=> The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Google Toolbar=> Get the free google toolbar to help stop pop up windows.
I also suggest that you delete your temporary files by deleting all files and folders that are in those folders (do
not delete the
temp folder itself), for example:
C:\WINDOWS\Temp\--->Everything After the \.
C:\Temp\--->Everything After the \.
C:\Documents and Settings\username\Local Settings\Temp\--->Everything After the \.
Repeat for all users.
Also delete your Temporary Internet Files:
Click Start=>Control Panel=>Internet options.
Under the Generaltab.
Click Delete Files button.
Place a check-mark in Delete all off-line content.
Click OK=>OK
Exit Control Panel
Repeat for all users.
Empty the recycle bin:
Right-click the Recycle Bin icon on your desktop.
Select "Empty Recycle Bin".
Repeat forall users.
Note: you can also do the above steps using a program such as
Cleanup! from
Steven Gould or
CCleaner.
SpotCheckBilly
932 Posts
0
December 21st, 2005 22:00
Welcome to the Dell forums
Please print these instructions out for use in Safe Mode.
Please download VundoFix© to your desktop.
- Double-click VundoFix.exe to extract the files
- This will create a VundoFix© folder on your desktop.
- After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
- Once in safe mode open the VundoFix© folder and doubleclick on KillVundo.bat
- You will first be presented with a warning.
- It should look like this
Quote: VundoFix V2.15 by Atri\By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
Quote: Please Type in the filepath as instructed by the forum staff
and then press enter:
Quote: Please type in the second filepath as instructed by the forum
staff then press enter:
NOTE:Please take notice that this filename is the original name (from above) spelled backwards.
regsvr32 /u twencndc.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebyx.dll (filesize 27149 bytes, MD5 06E858453DB79C4F67848D0D3FC09878)
O2 - BHO: (no name) - {84acd4e1-ffc1-4202-8027-cc867049aaeb} - C:\WINDOWS\system32\twencndc.dll (filesize 94228 bytes, MD5 D30D493CB66FFF78FADED19B7BE4A214)
O20 - Winlogon Notify: gebyx - C:\WINDOWS\SYSTEM32\gebyx.dllC:\WINDOWS\SYSTEM32\gebyx.dll
From "Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=>Control Panel=>Folder Options=>View tab.
2. Select "Show hidden files and folders"
3. Clear the check mark in "Hide protected operating system files"=>Yes to confirm.
4. Click Apply=>OK.
5. Close Control Panel.
files...
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\twencndc.dll
Also....
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.ini
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\system32\xybeg.tmp
C:\WINDOWS\system32\xybeg.tmp1
C:\WINDOWS\system32\xybeg.tmp2--->Note: This is the filename from the O2 and O20 entries spelled backwards.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the VundoFix.txt file from the VundoFix© folder into this topic. :smileyhappy:
George a.k.a. SpotCheckBilly
hojo38
4 Posts
0
December 22nd, 2005 11:00
George, Thanks for the detailed guidance. I think I understand the instructions EXCEPT for the following:
regsvr32 /u twencndc.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing."
SpotCheckBilly
932 Posts
0
December 22nd, 2005 20:00
I'm happy to help you through any steps that you don't understand. Everyone is a novice at one point.:smileyhappy: To open a "command prompt" (which is a holdover from the days of DOS, before Windows):
Click Start=>Run.
Type in "cmd" (without the quotes)
A command prompt window will open. It looks like a black box with some lines of text and it. The last line should look something like C.:\folder\ with a flashing cursor next to it. In your case you would type: regsvr32 /u twencndc.dll, then hit Enter. To make sure that the line is entered exactly as shown, it's easier just to highlight the text (in this case regsvr32 /u twencndc.dll), copy it, then use the right-click=>Paste to paste it into the command prompt box, then hit Enter.
You will then be able to delete that file.
Any other questions, don't hesitate to ask. If I don't hear back from you before then, Have a Happy Holiday.
George a.k.a. SpotCheckBilly:smileyvery-happy:
hojo38
4 Posts
0
December 23rd, 2005 20:00
George, below you will find the ActiveScan, Hijack, and Vundo logs requested. These were run after the above protocoles were followed.
I am not certain if the sequence of steps listed above is in the order you intend. The "command prompt" instruction falls within the middle of the HiJackThis sequence. I could not open the command prompt until after I had scanned, checked the listed files, and closed the program. Once closed, the next instruction directs a reboot and then advises to "continue with instructions below. " But the next instruction is to reboot again in the "safe mode".
The activity within the "command prompt" instruction was also not clear to me. Once there, I was only able to "unregister" the twencndc.dll file. Was there more to be done with this command prompt box? Was this sequence to be run in the "safe mode"?
Thanks again for your time and attention to my problem. Happy holiday. Cheers HDjr
Active Scan
Incident Status Location
Adware:adware/comet Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\Starware
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:Adware/FlashTrack Not disinfected C:\Program Files\Common Files\Java\flencpy.cfg
Adware:Adware/FlashTrack Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5A2D2F-27A4-4DCD-93CC-9206DC\8F0655C3-6772-43A0-B0E8-3EE044
Vundo Log
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was C:\WINDOWS\system32\gebyx.dll
The second filepath entered was C:\WINDOWS\system32\xybeg
--------------------------------------------------------------------------------------
Log from Process
--------------------------------------------------------------------------------------
Killing PID 136 'smss.exe'
Killing PID 780 'explorer.exe'
Killing PID 780 'explorer.exe'
Killing PID 212 'winlogon.exe'
Killing PID 212 'winlogon.exe'
--------------------------------------------------------------------------------------
C:\WINDOWS\system32\gebyx.dll Deleted sucessfully.
C:\WINDOWS\system32\xybeg Deleted sucessfully.
Fixing Registry
--------------------------------------------------------------------------------------
Hijack Log
Logfile of HijackThis v1.99.1
Scan saved at 1:51:41 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127168493180
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://user:user123@12.107.238.242/activex/AxisCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: gebyx - gebyx.dll (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
SpotCheckBilly
932 Posts
0
December 24th, 2005 06:00
OK, things are looking good. Nice work.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O20 - Winlogon Notify: gebyx - gebyx.dll (file missing)
With all windows closed except HiJackThis, click " Fix checked".
Post back a new log, and let me know how things are going. :smileyhappy:
George a.k.a. SpotCheckBilly
hojo38
4 Posts
0
December 24th, 2005 19:00
George, the requested log follows. this was run after "fixing" the two files noted above. Before deleting these files, Microsoft AnitSpyware would still find a Trogan Name Shifter on scan.
Thanks again for your gracious assistance. Happy Holiday HDjr:smileyhappy:
HiJackThis Log
Scan saved at 3:50:55 PM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127168493180
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://user:user123@12.107.238.242/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
SpotCheckBilly
932 Posts
0
December 24th, 2005 21:00
You're very welcome.
Have a Wonderful Holiday
Congratulations! Your log looks clean - good work!
Reboot your computer, and try using different programs and make sure everything is running ok. If you're still experiencing problems, post back a description and wait for advice before continuing with the cleanup.
Download, install and run Cleanup! from Steven Gould, then:
1. Click " Cleanup!"
( wait for the program to finish scanning your system, and selecting files to be removed.)
2. Exit the program and reboot the computer, if necessary.
For more information about using Cleanup! see here.
If everything is running ok, let's do the final cleanup...
1. Run " Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded MicroWorld AV ( MWAV), run it again - but don't scan, just click " Clear Log" and exit the program.
Please skip this step 3. Go to www.trendmicro.com and click " Free Online Scan", then " Scan now, it's free!". Follow on-screen prompts. (You can substitute Panda Active Scan if you like.)
4. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system restore point manually.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster => SpywareBlaster will prevent spyware from being installed.
- Spywareguard => SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware = If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware => If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware
To protect yourself further:- IE/Spyad => IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file => The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
- Google Toolbar => Get the free google toolbar to help stop pop up windows.
I also suggest that you delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself), for example:- C:\WINDOWS\Temp\--->Everything After the \.
- C:\Temp\--->Everything After the \.
- C:\Documents and Settings\username\Local Settings\Temp\--->Everything After the \.
- Repeat for all users.
Also delete your Temporary Internet Files:- Click Start=>Control Panel=>Internet options.
- Under the Generaltab.
- Click Delete Files button.
- Place a check-mark in Delete all off-line content.
- Click OK=>OK
- Exit Control Panel
- Repeat for all users.
Empty the recycle bin:- Right-click the Recycle Bin icon on your desktop.
- Select "Empty Recycle Bin".
- Repeat forall users.
Note: you can also do the above steps using a program such as Cleanup! from Steven Gould or CCleaner.These steps should be done on a regular basis.
Also, please see
So how did I get infected in the first place?
If you are having any more problems, post back the description along with a fresh HijackThis log. :smileyhappy:
George a.k.a. SpotCheckBilly