Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

judyls26

6 Posts

1742

April 14th, 2005 02:00

Problems with popups

Hello,
 
I hope you could help me.
 
I recently began to use a DELL the problem I have is with zipzappromos, this popups are bothering me all the time I'm in internet.
 
I search at Google an option to delete them. And I found a process that requested me to download hijackthis.
 
Finally I obtain a notepad result from this program.
I'm attaching this results. I hope you can help me.
 
Thanks in advanced for your atention an help.
 
My best regards
 
Julieta
 
Logfile of HijackThis v1.99.1
Scan saved at 10:18:24 p.m., on 13/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
C:\ARCHIV~1\Iomega\System32\AppServices.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
C:\WINDOWS\SYSTEM32\IoctlSvc.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe
C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe
C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe
C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
C:\Archivos de programa\CursorXP\CursorXP.exe
C:\Archivos de programa\Digital Line Detect\DLG.exe
C:\ARCHIV~1\Webshots\webshots.scr
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msdcdev.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\DOCUME~1\JULIET~1\CONFIG~1\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Prodigy Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:3128;https=127.0.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DHTML Dynamic Link Library - {468EE850-6E40-412A-981A-2BFD9C76E335} - C:\WINDOWS\system32\dhtmcore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Mensajero de Empleo] C:\Archivos de programa\sac\mensajero\BMTClient.exe
O4 - HKLM\..\Run: [] C:\Archivos de programa\sac\mensajero\BMTClient.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnoLogic NetFilter Tray Icon] "C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe"
O4 - HKLM\..\Run: [NetUpdatePrompt] C:\Archivos de programa\EnoLogic\NetUpdate\Bin\EnoLogic NetUpdate Prompt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CursorXP] C:\Archivos de programa\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\Launcher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_ES_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_ES_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{627E284E-2039-409B-AE50-DE621986952F}: NameServer = 200.33.146.193 200.33.146.201
O17 - HKLM\System\CS1\Services\Tcpip\..\{627E284E-2039-409B-AE50-DE621986952F}: NameServer = 200.33.146.193 200.33.146.201
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EnoLogic Configuration Manager (EnoLogicConfigurationManager) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARCHIV~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: EnoLogic NetFilter (NetFilter) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
O23 - Service: EnoLogic Connection Manager (NetFilterManager) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Archivos de programa\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\SYSTEM32\IoctlSvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
 

bobmartino

40 Posts

April 14th, 2005 11:00

Hello and Welcome

Please print out or copy this page to notepad for easy reference when carrying out the instructions. Make sure to work through the fixes in the exact order they are listed. If you have any questions feel free to ask before carrying out the fixes.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Turn off System Restore by doing the following:
Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Show Hidden and System files:
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

For the options that you have checked/enabled, you may uncheck them after your log is clean.
If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad, but you want to keep).

Please download all of the following programs before trying any of the fixes:
Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download Spybot S&D and install it if you don't have it already. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

==========================

Reboot into Safe Mode (hit F8 key until menu shows up).

End Running Processes:
Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\msdcdev.exe

Open Hijack This and click on Scan. Check the following entries, if they are still there. (make sure you do not miss any)

R3 - Default URLSearchHook is missing
O2 - BHO: DHTML Dynamic Link Library - {468EE850-6E40-412A-981A-2BFD9C76E335} - C:\WINDOWS\system32\dhtmcore.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_ES_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_ES_XP.cab

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\dhtmcore.dll
EGDACCESS_1058.dll -- You will have to search for this one

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post it up in the forum.

Do you know what this program is, or what it stands for in english?
O4 - HKLM\..\Run: [Mensajero de Empleo] C:\Archivos de programa\sac\mensajero\BMTClient.exe
O4 - HKLM\..\Run: [] C:\Archivos de programa\sac\mensajero\BMTClient.exe

judyls26

6 Posts

April 19th, 2005 22:00

Hello again,
 
I ran  HijackThis, downloaded Spybot an  Ad-ware SE, I deleted all the files you told me, but I continue with the same problem pop ups all the time.
 
I'm sending the last scan of HijackThis
 
Could you please help me
 
Logfile of HijackThis v1.99.1
Scan saved at 06:23:33 p.m., on 19/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
C:\ARCHIV~1\Iomega\System32\AppServices.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
C:\WINDOWS\SYSTEM32\IoctlSvc.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe
C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe
C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe
C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
C:\Archivos de programa\CursorXP\CursorXP.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Digital Line Detect\DLG.exe
C:\ARCHIV~1\Webshots\webshots.scr
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\DOCUME~1\JULIET~1\CONFIG~1\Temp\Directorio temporal 4 para hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Prodigy Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:3128;https=127.0.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnoLogic NetFilter Tray Icon] "C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe"
O4 - HKLM\..\Run: [NetUpdatePrompt] C:\Archivos de programa\EnoLogic\NetUpdate\Bin\EnoLogic NetUpdate Prompt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CursorXP] C:\Archivos de programa\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\Launcher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{627E284E-2039-409B-AE50-DE621986952F}: NameServer = 200.33.146.193 200.33.146.201
O17 - HKLM\System\CS1\Services\Tcpip\..\{627E284E-2039-409B-AE50-DE621986952F}: NameServer = 200.33.146.193 200.33.146.201
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EnoLogic Configuration Manager (EnoLogicConfigurationManager) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARCHIV~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: EnoLogic NetFilter (NetFilter) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
O23 - Service: EnoLogic Connection Manager (NetFilterManager) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Archivos de programa\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\SYSTEM32\IoctlSvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
 

bobmartino

40 Posts

April 20th, 2005 00:00

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

bobmartino

40 Posts

April 20th, 2005 16:00

Hey there,

Lets disable Spybot's Tea Timer for now, as it can interfere with the fixing of problems.

Open Spybot and and make sure you are in Advanced mode (check it in the 'Mode' menu). Go to the Tools section and click resident and then uncheck the box for Tea Timer.  Restart the computer.

Yeah denying it was fine, that file is going to show its face again though.

Can you give me another Hijackthis log and the TDS-3 log, I need this to try id the file that brought this back.

Cheers

judyls26

6 Posts

April 20th, 2005 16:00

I notice that Spybot ask my to deny or allow a change to a register or key file, is one of the files that you told me to look for and delete  Egdaccess_1058.dll 
I deny the change that was right?
 
I'm attaching the log of StartDreck
 
Thaks in advance
 
StartDreck (build 2.1.7 public stable) - 2005-04-20 @ 12:03:15 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Julieta Dinorah at JULIETA
»Registry
 »Run Keys
  »Current User
   »Run
    *Yahoo! Pager=C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    *CursorXP=C:\Archivos de programa\CursorXP\CursorXP.exe
    *SpybotSD TeaTimer=C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
   »RunOnce
  »Default User
   »Run
    *CTFMON.EXE=C:\WINDOWS\system32\CTFMON.EXE
   »RunOnce
  »Local Machine
   »Run
    *IgfxTray=C:\WINDOWS\system32\igfxtray.exe
    *HotKeysCmds=C:\WINDOWS\system32\hkcmd.exe
    *SunJavaUpdateSched=C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
    *DVDLauncher="C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe"
    *Drag'n'Drop_Autolaunch="C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe"
    *Prolific_PLUtil=C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
    *PLFFAP=C:\WINDOWS\system32\HotfixQ0306270.exe
    *pccguide.exe="C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
    *PCCClient.exe="C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
    *Pop3trap.exe="C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
    *EnoLogic NetFilter Tray Icon="C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe"
    *NetUpdatePrompt=C:\Archivos de programa\EnoLogic\NetUpdate\Bin\EnoLogic NetUpdate Prompt.exe
    +OptionalComponents
     +MSFS
      *Installed=1
     +MAPI
      *Installed=1
      *NoChange=1
     +MAPI
      *Installed=1
      *NoChange=1
   »RunOnce
   »RunServices
   »RunServicesOnce
   »RunOnceEx
   »RunServicesOnceEx
 »File Associations (CR)
  +.bat
   *batfile="%1" %*
  +.com
   *comfile="%1" %*
  +.disabled
   *SpybotSD.DisabledFile="C:\Archivos de programa\Spybot - Search & Destroy\blindman.exe" "%1"
  +.exe
   *exefile="%1" %*
  +.hta
   *htafile=C:\WINDOWS\system32\mshta.exe "%1" %*
  +.htm
   *htmlfile="C:\Archivos de programa\Internet Explorer\iexplore.exe" -nohome
  +.html
   *htmlfile="C:\Archivos de programa\Internet Explorer\iexplore.exe" -nohome
  +.js
   *JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.jse
   *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.pif
   *piffile="%1" %*
  +.reg
   *regfile=regedit.exe "%1"
  +.scr
   *scrfile="%1" /S
  +.txt
   *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
  +.vbs
   *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.vbe
   *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.wsh
   *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.wsf
   *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.lnk
   `lnkfile= [key or value does not exist]
 »Active Setup (LM)
  +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
   *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
  +Personalización del explorador/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
   *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
  +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
   *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
  +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
   *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
  +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
   *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
  +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
  +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
  +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
  +Libreta de direcciones 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
   *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
  +Actualización del escritorio de Windows/{89820200-ECBD-11cf-8B85-00AA005B4340}
   *StubPath=regsvr32.exe /s /n /i:U shell32.dll
  +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
   *StubPath=%SystemRoot%\system32\ie4uinit.exe
  +Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
 »Browser Helper Objects (LM)
  *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   `InprocServer32=C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  *{53707962-6F74-2D53-2644-206D7942484F}
   `InprocServer32=C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
  *Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
   `InprocServer32=c:\archivos de programa\google\googletoolbar1.dll
 »Internet Explorer
  »Current User
   *Default_Page_URL=http://www.dell.com/
   *Local Page=C:\WINDOWS\system32\blank.htm
   *Search Bar=http://www.google.com/ie
   *Search Page=http://www.google.com
   *Start Page=http://www.google.com.mx/
   *Window Title=Microsoft Internet Explorer - Prodigy Internet
   +SearchUrl
    *provider=gogl
    *=http://www.google.com/keyword/%s
  »Default User
   *Default_Page_URL=http://www.dell.com/
   *First Home Page=http://www.dell.com/
   *Start Page=http://www.dell.com/
  »Local Machine
   *Default_Page_URL=http://www.dell.com/
   *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
   *Local Page=%SystemRoot%\system32\blank.htm
   *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
   *Start Page=http://www.dell.com/
   *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
   *SearchAssistant=http://www.google.com/ie
 »ShellServiceObjectDelayLoad (LM)
  *0aMCPClient={F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
   `InprocServer32=
  *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
   `InprocServer32=%SystemRoot%\system32\SHELL32.dll
  *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
   `InprocServer32=%SystemRoot%\system32\SHELL32.dll
  *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
   `InprocServer32=%SystemRoot%\system32\webcheck.dll
  *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
   `InprocServer32=C:\WINDOWS\system32\stobject.dll
 »Special NT Values
  »Current User
   *Load=
   *Run=
   *Programs=com exe bat pif cmd
   *SHELL=
  »Default User
   *Load=
   *Run=
   *Programs=com exe bat pif cmd
   *SHELL=
  »Local Machine
   *AppInit_DLLs=
   *SHELL=Explorer.exe
   *Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
 »Autostart Folders
  »Current User
   *C:\Documents and Settings\Julieta Dinorah\Menú Inicio\Programas\Inicio\DESKTOP.INI
   *C:\Documents and Settings\Julieta Dinorah\Menú Inicio\Programas\Inicio\Webshots.lnk
  »Default User
   *C:\WINDOWS\system32\config\systemprofile\Menú Inicio\Programas\Inicio\DESKTOP.INI
  »Local Machine
   *C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\DESKTOP.INI
   *C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Digital Line Detect.lnk
 »INI-Files
  »WIN.INI\[windows]
   *LOAD=
   *RUN=
  »SYSTEM.INI\[boot]
   *SHELL=Explorer.exe
 »Text Files
  *C:\boot.ini
   `[boot loader]
   `timeout=30
   `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
   `[operating systems]
   `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
  *C:\msdos.sys
  *C:\config.sys
  *C:\WINDOWS\system32\config.nt
   `REAM        al l¡mite de 16 KB. El valor predeterminado es 0x4000.
   `dos=high, umb
   `device=%SystemRoot%\system32\himem.sys
   `files=40
  *C:\autoexec.bat
  *C:\WINDOWS\system32\autoexec.nt
   `@echo off
   `lh %SystemRoot%\system32\mscdexnt.exe
   `lh %SystemRoot%\system32\redir
   `lh %SystemRoot%\system32\dosx
   `SET BLASTER=A220 I5 D1 P330 T3
  *C:\WINDOWS\system32\drivers\etc\hosts
   `127.0.0.1       localhost
 »Program Files
  *C:\ntldr
  *C:\ntdetect.com
  *C:\io.sys
  *C:\WINDOWS\system32\win.com
  *C:\WINDOWS\explorer.exe
 »%PATH% Companion Files
 +C:\WINDOWS\system32\NOTEPAD.EXE
  *C:\WINDOWS\NOTEPAD.EXE
 +C:\WINDOWS\system32\TASKMAN.EXE
  *C:\WINDOWS\TASKMAN.EXE
 +C:\WINDOWS\system32\WINHLP32.EXE
  *C:\WINDOWS\WINHLP32.EXE
»System/Drivers
 »Running Processes
  +0=
  +4=
  +548=\SystemRoot\System32\smss.exe
  +596=\??\C:\WINDOWS\system32\csrss.exe
  +620=\??\C:\WINDOWS\system32\winlogon.exe
  +664=C:\WINDOWS\system32\services.exe
  +676=C:\WINDOWS\system32\lsass.exe
  +848=C:\WINDOWS\system32\svchost.exe
  +928=C:\WINDOWS\system32\svchost.exe
  +964=C:\WINDOWS\System32\svchost.exe
  +1028=C:\WINDOWS\system32\svchost.exe
  +1136=C:\WINDOWS\system32\svchost.exe
  +1260=C:\WINDOWS\system32\LEXBCES.EXE
  +1292=C:\WINDOWS\system32\LEXPPS.EXE
  +1300=C:\WINDOWS\system32\spoolsv.exe
  +1448=C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
  +1484=C:\ARCHIV~1\Iomega\System32\AppServices.exe
  +1516=C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
  +1536=C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
  +1572=C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
  +1640=C:\WINDOWS\SYSTEM32\IoctlSvc.exe
  +1728=C:\WINDOWS\system32\wdfmgr.exe
  +584=C:\WINDOWS\Explorer.EXE
  +1108=C:\WINDOWS\system32\hkcmd.exe
  +1172=C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
  +1180=C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe
  +1208=C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe
  +1216=C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
  +1036=C:\WINDOWS\system32\HotfixQ0306270.exe
  +1676=C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe
  +1328=C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
  +2008=C:\Archivos de programa\CursorXP\CursorXP.exe
  +2052=C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
  +2484=C:\Archivos de programa\Digital Line Detect\DLG.exe
  +2548=C:\WINDOWS\System32\alg.exe
  +2656=C:\ARCHIV~1\Webshots\webshots.scr
  +3540=C:\Archivos de programa\Internet Explorer\iexplore.exe
  +3452=C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
  +3620=C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
  +3480=C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCCLIENT.EXE
  +4040=C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCGUIDE.EXE
  +3624=C:\Archivos de programa\Trend Micro\PC-cillin 9\POP3TRAP.EXE
  +1160=C:\StartDreck.exe
 »VMM32Files (LM)
 »%System%\VMM32
 »%System%\IOSUBSYS
»Application specific
 »MS Office 97/8.0 STARTUP-PATH
  »Current User
  »Default User
  »Local Machine
 »ICQ NetDetect
  »Current User
   »Default User

judyls26

6 Posts

April 20th, 2005 18:00

I can´t disable Tea timer as you requested me Find the logs you asked for:
Bye:smileyhappy:
 
TDS-3 log:
 
 
13:49:37 [Init] Trojan Defence Suite v3.2.0  (UNLICENSED)
13:49:38 [Init] Started 20-04-05 13:49:37 Hora estándar de México (UTC: 6), Internet Time @826.12
13:49:38 [Init] Loading TDS-3 Systems ...
13:49:38 [Init] Token successfully adjusted.
13:49:38 [Init] • TDS Privileges   :   OK.      Adjusted TDS-3 token privileges to maximum
13:49:38 [Init] • Plugins          :   OK.      Loaded 13
13:49:38 [Init] • Exec Protection  :   Not Installed
13:49:38 [Init] WARNING: Your Radius.TD3 database needs to be updated!
13:49:38 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
13:49:38 [Init] Licensed users can use the Update facility from the TDS menu
13:49:38 [Init] Loading Radius Advanced Scanning Systems ...
13:49:44 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
13:49:44 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
13:49:44 [Init] Radius Systems loaded.
13:49:45 [Init] TDS-3 Ready. dinorah@200.65.35.141, 127.0.0.1 - México>
13:49:45 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning for the
memory-resident mutexes that they use.
13:49:45 [TDS] Good afternoon Julieta dinorah.
13:49:51 [CRC32] Started - verifying 29 files ...
13:49:53 [CRC32] Test finished.
13:51:58 [Memory Scan] Memory scan started, please wait a moment ...
13:51:59 [Memory Scan] Memory scan complete.
13:51:59 [Mutex Memory Scan] Started...
13:52:00 [Mutex Memory Scan] Finished (no trojan mutexes found).
13:52:00 [Trace Scan] Started...
13:52:05 [Trace Scan] Finished.
13:52:05 [ServiceScan] Scanning for services and drivers ...
13:52:07 [ServiceScan] Scanned 306 services and drivers.
13:52:07 [File Scan] Scanning in A:\ ...
13:52:08 [File Scan] Scanned 0 files: 2 alarms in 1.015625 seconds (Avg 1. files/sec)
13:52:08 [File Scan] Scanning in C:\ ...
14:15:02 [File Scan] Scanned 36540 files: 2 alarms in 1373.609 seconds (Avg 27.6 files/sec)
14:15:03 [Scan] Finished.
14:15:05 [Mutex Memory Scan] Started...
14:15:07 [Mutex Memory Scan] Finished (no trojan mutexes found).
14:15:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
 
alarms:
Scan Control Dumped @ 14:17:20 20-04-05
Live trojan found (in process memory): Possible Trojan (Changes registry editing setting)
  File: C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
Live trojan found: Possible Trojan (Changes registry editing setting)
  File: C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe
 
 
Hijackthis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 01:31:31 p.m., on 20/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
C:\ARCHIV~1\Iomega\System32\AppServices.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
C:\WINDOWS\SYSTEM32\IoctlSvc.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe
C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe
C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe
C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
C:\Archivos de programa\CursorXP\CursorXP.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Digital Line Detect\DLG.exe
C:\ARCHIV~1\Webshots\webshots.scr
C:\DOCUME~1\JULIET~1\CONFIG~1\Temp\Directorio temporal 5 para hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Prodigy Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:3128;https=127.0.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Archivos de programa\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Archivos de programa\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnoLogic NetFilter Tray Icon] "C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter Tray Icon.exe"
O4 - HKLM\..\Run: [NetUpdatePrompt] C:\Archivos de programa\EnoLogic\NetUpdate\Bin\EnoLogic NetUpdate Prompt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CursorXP] C:\Archivos de programa\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\Launcher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EnoLogic Configuration Manager (EnoLogicConfigurationManager) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Configuration Manager.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARCHIV~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: EnoLogic NetFilter (NetFilter) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic NetFilter.exe
O23 - Service: EnoLogic Connection Manager (NetFilterManager) - Unknown owner - C:\Archivos de programa\EnoLogic\NetFilter Home\EnoLogic Connection Manager.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Archivos de programa\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\SYSTEM32\IoctlSvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
 
 
 
 

bobmartino

40 Posts

April 20th, 2005 19:00

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Before doing this fix we must turn of Tea Timer it may block everything if we dont.
Can you tell me what the problem was with turning of Tea Timer?
Try following these intructions
http://russelltexas.com/malware/teatimer.htm

Once it is disabled continue with the instructions, any problems let me know.

Reboot into Safe Mode (hit F8 key until menu shows up).
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs if they are there:

Instant Access

Open Hijack This and click on Scan. Check the following entries, if they are still there. (make sure you do not miss any)

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\EGDHTML_1027.dll
C:\WINDOWS\System32\EGDial.dll
C:\WINDOWS\System32\ia.dll
C:\WINDOWS\System32\mseggrpid.dll

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post it up here.

judyls26

6 Posts

April 21st, 2005 00:00

  I do everything I followed strictly your instructions, I ran all the program they delete all the files I scan several times, I reboot my PC,  but it doesn't work, when I begin to use internet the file egdaccess_1058.dll reappear again  I quit!!!!
 
What can I do?

bobmartino

40 Posts

April 21st, 2005 08:00

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode (hit F8 key until menu shows up).
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs if they are there:

Instant Access

Open Hijack This and click on Scan. Check the following entries, if they are still there.(make sure you do not miss any)

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess

Please remember to close all other windows, including browsers then click Fix checked.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\System32\EGDACCESS_1058.dll
C:\WINDOWS\System32\EGDHTML_1027.dll
C:\WINDOWS\System32\EGDial.dll
C:\WINDOWS\System32\ia.dll
C:\WINDOWS\System32\mseggrpid.dll
C:\WINDOWS\system32\EGDACCESS.dll
C:\WINDOWS\system32\msclock32.dll
C:\WINDOWS\system\MSCLOCK32.dll


Reboot two or three times, then in normal mode, post up a new HijackThis Log.

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

Instant Access

Save the file/files and post the results in the forum.

judyls26

6 Posts

April 25th, 2005 18:00

Bob,

 

Finally the pop ups have finished

THANKS for all your help

Bye   :smileywink:

 

 

Was this post helpful?

View All

No Events found!

Top