Here are some sites where you can receive help analyzing your HijackThis log from trained experts. Note that the sites require registration before you will be able to post.
Logfile of HijackThis v1.98.2 Scan saved at 1:35:34 AM, on 9/8/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Your new log shows that you're running HijackThis from a temporary directory. You need to copy HijackThis.exe to the directory you used last time, C:\HJT.
Most critically, you need to register and submit your log to one of the HijackThis log analysis sites I listed in my prior post. Here's the information I posted:
Here are some sites where you can receive help analyzing your HijackThis log from trained experts. Note that the sites require registration before you will be able to post.
Check add/remove programs and try uninstall for any of those present The programs that installed themselves: WhenUSearch, ClockSync, WeatherCast, PowerScan, EARN.
Empty this temp folder C:\documents and settings\sarah messier\local settings\temp <---
I dont' know much about computer at ALL, but I think this is the C:\HJT thing you were looking for. Again, here's the new log:
Logfile of HijackThis v1.97.7 Scan saved at 10:27:18 AM, on 9/8/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Wait, that was the older version. Here's the log with the newer version:
Logfile of HijackThis v1.98.2 Scan saved at 10:31:19 AM, on 9/8/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Thank you guys, again, for your help. I deleted all of the things from HijackThis that you told me to. I've got rid of the search bar that was at the bottom of my desktop and I don't have a lot of popups anymore. I also downloaded the Service Pack 2 for XP. Here is my new log. Anything I missed?
Logfile of HijackThis v1.98.2 Scan saved at 2:07:23 PM, on 9/8/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Delete these: Files: C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll C:\documents and settings\sarah messier\local settings\temp\r2l09.exe C:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe C:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe (The best thing, if you are not saving anything in this folder, would be to delete all files in this temp folder.)
These are the things which I found in your last log that should be fixed.
I cannot figure out about this file, whether it should stay or go. I had hoped the on-line virus scan would deal with it. C:\active.exe Perhaps someone else can give you a comment about it.
I do not know the answers concerning the post you just made about McAfee.
After posting this new HijackThis log, I downloaded McAfee because I still have a few months left of my subscription. It found one virus, "Morphine," and eight other potentially unwanted programs along with a huge list of other stuff I have on my computer. I have a virus detection that continues coming up on my desktop from McAfee, reading: The file C:\WINDOWS\system32\aimsgr.exe is infected by the Morphine virus and canned be cleaned. I tried quarantining it and deleting it as well, neither of which works. Also, there are several things that McAfee can't clean, delete, or quarantine as well. When I run the virus scan, they all come up but I can't get rid of them. Is there something manually I need to do? As I said before, I did eveything that was listed previous to my last post, getting rid of everything mentioned.
Thanks and I think I'm almost done with all these things.
Thank you very much for all your help. My computer's looking a little better. I think McAfee did take care of that C:\active.exe folder. When I run McAfee now, I'm down to only ONE potentially unwanted program! That's big for me...concidering everything that it's been through...haha.
I think I might wipe out my whole system (as painful for me as that's going to be with all my pictures, etc.) and start from scratch. We'll see, I'm having someone help me who works a little with computers this weekend come and take a look-wish me luck!
I wanted to make a few comments for you to think about while you're considering the reformat.
Your computer IS your responsibility and it may be that it is appropriate to reformat at this time. However it may also be that it is not necessary at this time if you have gotten it cleaned up. If you plan on continuing to use the internet, reformatting after every little fiasco is going to be quite a time consuming process. As you have discovered, an antivirus program is needed. Unfortunately, in our times, you need other stuff too.
Here are links to a couple of things you can look at relating to improving your security and additional security tools you should consider.
Another thing that can help is a hosts file. (Understand that that is susceptible to hijacking too.) Some comments by texruss here:
http://www.russelltexas.com/malware/HOSTS.htm
Now-should you decide to reformat-2 things I would STRONGLY urge you to consider.
1) Create two partitions instead of one. Use one for programs and one for data. Then in cases like this where you need to find and back up your data, it is much easier.
2) Get an image program such as Norton Ghost to image your install. (Ghost can be purchased as a standalone program or it is included in Systemworks PROFESSIONAL. I don't know how far back on versions you can go to be compatible with XP, but it is possible to pick up outdated versions reasonably on eBay.) You will spend a lot of time getting everything set up now, but if you then make an image, AND if the programs are on a separate partition so you do not have to worry about overwriting data, you can just restore an image and change data file locations in each application to look at the data partion you have set up and you are ready to go.
(This is generic system advice-I don't know to what extent working with a Dell and its specialized restore stuff would change it.)
As long as you update your program partition image when you add new applications, you then have a relatively easy restore method to deal with situations like the one you are in now.
jwatt
4.4K Posts
0
September 8th, 2004 04:00
Here are some sites where you can receive help analyzing your HijackThis log from trained experts. Note that the sites require registration before you will be able to post.
Subratam.org
BleepingComputer.com
ZerosRealm.com
Be sure to describe the problem you're experiencing.
Before you post, please update HijackThis to the current version, 1.98.2, and post the log from that version.
Please see the Alliance of Security Analysis Professionals (ASAP) site for a complete list of member sites providing support and assistance.
Jim
jc11gurl
44 Posts
0
September 8th, 2004 04:00
Here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 1:35:34 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\aimsgr.exe
C:\active.exe
C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\plxxioh.exe
C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\lnyeozff.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\SARAHM~1\LOCALS~1\Temp\~MySetup.exe
c:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\ipssvpia.exe
C:\WINDOWS\System32\ircncutl.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\WeatherCast\Weather.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah Messier\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {3DF1667C-9410-07E3-D600-655508DB2446} - C:\WINDOWS\System32\ezrk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF4cff.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AQB] C:\WINDOWS\AQB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF4cff.dll
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [15js50Z] C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
O4 - HKLM\..\Run: [jdhmqq] C:\WINDOWS\System32\plxxioh.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [yzsx] C:\WINDOWS\yzsx.exe
O4 - HKLM\..\Run: [r2l09] C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [VMOozZmj] c:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKLM\..\Run: [DUNb6CWQz] c:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [qFEX32h] ipssvpia.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Software\Popup Blocker.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Tjdozu] C:\WINDOWS\System32\lnyeozff.exe
O4 - HKCU\..\Run: [box7RSN4j] ircncutl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\RunOnce: [DeleteXXXToolbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
jwatt
4.4K Posts
0
September 8th, 2004 05:00
Your new log shows that you're running HijackThis from a temporary directory. You need to copy HijackThis.exe to the directory you used last time, C:\HJT.
Most critically, you need to register and submit your log to one of the HijackThis log analysis sites I listed in my prior post. Here's the information I posted:
Here are some sites where you can receive help analyzing your HijackThis log from trained experts. Note that the sites require registration before you will be able to post.
Subratam.org
BleepingComputer.com
ZerosRealm.com
Be sure to describe the problem you're experiencing.
Please see the Alliance of Security Analysis Professionals (ASAP) site for a complete list of member sites providing support and assistance.
Jim
cghost
302 Posts
0
September 8th, 2004 05:00
AFTER you move hjt to its own folder.
( I started that review before you posted new log.)
Message Edited by cghost on 09-08-2004 01:43 AM
cghost
302 Posts
0
September 8th, 2004 05:00
Boot to safe mode.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Check add/remove programs and try uninstall for any of those present
The programs that installed themselves: WhenUSearch, ClockSync, WeatherCast, PowerScan, EARN.
Empty this temp folder
C:\documents and settings\sarah messier\local settings\temp <---
Run hijackthis, tick to fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {3DF1667C-9410-07E3-D600-655508DB2446} - C:\WINDOWS\System32\ezrk.dll
O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF4cff.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AQB] C:\WINDOWS\AQB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF4cff.dll
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [jdhmqq] C:\WINDOWS\System32\plxxioh.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [yzsx] C:\WINDOWS\yzsx.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [qFEX32h] ipssvpia.exe
O4 - HKCU\..\Run: [Tjdozu] C:\WINDOWS\System32\lnyeozff.exe
O4 - HKCU\..\Run: [box7RSN4j] ircncutl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\RunOnce: [DeleteXXXToolbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
Delete these files:
C:\WINDOWS\System32\plxxioh.exe
C:\WINDOWS\System32\lnyeozff.exe
C:\WINDOWS\System32\ipssvpia.exe
C:\WINDOWS\System32\ircncutl.exe
C:\WINDOWS\localNRD.dll
C:\WINDOWS\System32\ezrk.dll
C:\WINDOWS\AQB.exe
C:\WINDOWS\System32\dp-him.exe
C:\active.exe
C:\WINDOWS\yzsx.exe
Delete these folders:
C:\Program Files\AutoUpdate
C:\PROGRA~1\Save
C:\Program Files\WhenUSearch
C:\PROGRA~1\Web Offer
C:\Program Files\WeatherCast
C:\Program Files\ClockSync
C:\Program Files\Power Scan
c:\program files\180solutions
Reboot to normal mode.
Try an on line scan from trendmicro and/or Pandasoft
Post a new log.
Regards
cg
jc11gurl
44 Posts
0
September 8th, 2004 13:00
I dont' know much about computer at ALL, but I think this is the C:\HJT thing you were looking for. Again, here's the new log:
Logfile of HijackThis v1.97.7
Scan saved at 10:27:18 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\aimsgr.exe
C:\active.exe
C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
C:\WINDOWS\System32\plxxioh.exe
C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\lnyeozff.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\ipssvpia.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\cleanmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {3DF1667C-9410-07E3-D600-655508DB2446} - C:\WINDOWS\System32\ezrk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF4cff.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AQB] C:\WINDOWS\AQB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF4cff.dll
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [15js50Z] C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
O4 - HKLM\..\Run: [jdhmqq] C:\WINDOWS\System32\plxxioh.exe
O4 - HKLM\..\Run: [r2l09] C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [VMOozZmj] c:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
O4 - HKLM\..\Run: [DUNb6CWQz] c:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [qFEX32h] ipssvpia.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Software\Popup Blocker.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Tjdozu] C:\WINDOWS\System32\lnyeozff.exe
O4 - HKCU\..\Run: [box7RSN4j] ircncutl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\RunOnce: [DeleteXXXToolbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.7103240741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
I really appreciate all the help you've all been giving me. Thank you!
jc11gurl
44 Posts
0
September 8th, 2004 13:00
Wait, that was the older version. Here's the log with the newer version:
Logfile of HijackThis v1.98.2
Scan saved at 10:31:19 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\aimsgr.exe
C:\active.exe
C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
C:\WINDOWS\System32\plxxioh.exe
C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\lnyeozff.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\ipssvpia.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\cleanmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah Messier\Local Settings\Temporary Internet Files\Content.IE5\QLNWHGJY\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {3DF1667C-9410-07E3-D600-655508DB2446} - C:\WINDOWS\System32\ezrk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF4cff.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AQB] C:\WINDOWS\AQB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF4cff.dll
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [15js50Z] C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
O4 - HKLM\..\Run: [jdhmqq] C:\WINDOWS\System32\plxxioh.exe
O4 - HKLM\..\Run: [r2l09] C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [VMOozZmj] c:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
O4 - HKLM\..\Run: [DUNb6CWQz] c:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [qFEX32h] ipssvpia.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Software\Popup Blocker.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Tjdozu] C:\WINDOWS\System32\lnyeozff.exe
O4 - HKCU\..\Run: [box7RSN4j] ircncutl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\RunOnce: [DeleteXXXToolbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
jc11gurl
44 Posts
0
September 8th, 2004 17:00
Thank you guys, again, for your help. I deleted all of the things from HijackThis that you told me to. I've got rid of the search bar that was at the bottom of my desktop and I don't have a lot of popups anymore. I also downloaded the Service Pack 2 for XP. Here is my new log. Anything I missed?
Logfile of HijackThis v1.98.2
Scan saved at 2:07:23 PM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\aimsgr.exe
C:\active.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
C:\WINDOWS\System32\plxxioh.exe
C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
C:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
C:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
C:\WINDOWS\system32\ipssvpia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Sarah Messier\Desktop\Virus, Spyware Protection\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Sarah Messier\Application Data\Mozilla\Profiles\default\jnzunfg5.slt\prefs.js)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [15js50Z] C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
O4 - HKLM\..\Run: [r2l09] C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
O4 - HKLM\..\Run: [VMOozZmj] C:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
O4 - HKLM\..\Run: [DUNb6CWQz] C:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
O4 - HKLM\..\Run: [qFEX32h] ipssvpia.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [bwgweb] C:\WINDOWS\System32\plxxioh.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Software\Popup Blocker.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
cghost
302 Posts
0
September 8th, 2004 18:00
Run Hijackthis, tick to fix:
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll
O4 - HKLM\..\Run: [15js50Z] C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
O4 - HKLM\..\Run: [r2l09] C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
O4 - HKLM\..\Run: [VMOozZmj] C:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
O4 - HKLM\..\Run: [DUNb6CWQz] C:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
O4 - HKLM\..\Run: [qFEX32h] ipssvpia.exe
O4 - HKLM\..\Run: [bwgweb] C:\WINDOWS\System32\plxxioh.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
Reboot to safe mode.
Show hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Delete these:
Files:
C:\documents and settings\sarah messier\local settings\temp\15js50Z.exe
C:\Documents and Settings\Sarah Messier\Local Settings\Temp\JRucZViM.dll
C:\documents and settings\sarah messier\local settings\temp\r2l09.exe
C:\documents and settings\sarah messier\local settings\temp\VMOozZmj.exe
C:\documents and settings\sarah messier\local settings\temp\DUNb6CWQz.exe
(The best thing, if you are not saving anything in this folder, would be to delete all files in this temp folder.)
C:\WINDOWS\System32\plxxioh.exe
C:\WINDOWS\system32\ipssvpia.exe
C:\WINDOWS\localNRD.dll
C:\WINDOWS\System32\mssaru.dll
Folder:
C:\PROGRA~1\Web Offer
For additional information on improving your security you can read this:
http://computercops.biz/postt7736.html
Regards.
cg
These are the things which I found in your last log that should be fixed.
I cannot figure out about this file, whether it should stay or go.
I had hoped the on-line virus scan would deal with it.
C:\active.exe
Perhaps someone else can give you a comment about it.
I do not know the answers concerning the post you just made about McAfee.
regards.
cg
jc11gurl
44 Posts
0
September 8th, 2004 18:00
After posting this new HijackThis log, I downloaded McAfee because I still have a few months left of my subscription. It found one virus, "Morphine," and eight other potentially unwanted programs along with a huge list of other stuff I have on my computer. I have a virus detection that continues coming up on my desktop from McAfee, reading: The file C:\WINDOWS\system32\aimsgr.exe is infected by the Morphine virus and canned be cleaned. I tried quarantining it and deleting it as well, neither of which works. Also, there are several things that McAfee can't clean, delete, or quarantine as well. When I run the virus scan, they all come up but I can't get rid of them. Is there something manually I need to do? As I said before, I did eveything that was listed previous to my last post, getting rid of everything mentioned.
Thanks and I think I'm almost done with all these things.
jc11gurl
44 Posts
0
September 9th, 2004 12:00
Thank you very much for all your help. My computer's looking a little better. I think McAfee did take care of that C:\active.exe folder. When I run McAfee now, I'm down to only ONE potentially unwanted program! That's big for me...concidering everything that it's been through...haha.
I think I might wipe out my whole system (as painful for me as that's going to be with all my pictures, etc.) and start from scratch. We'll see, I'm having someone help me who works a little with computers this weekend come and take a look-wish me luck!
Thanks again!
cghost
302 Posts
0
September 9th, 2004 13:00
Hi jc11gurl.
I wanted to make a few comments for you to think about while you're considering the reformat.
Your computer IS your responsibility and it may be that it is appropriate to reformat at this time. However it may also be that it is not necessary at this time if you have gotten it cleaned up. If you plan on continuing to use the internet, reformatting after every little fiasco is going to be quite a time consuming process. As you have discovered, an antivirus program is needed. Unfortunately, in our times, you need other stuff too.
Here are links to a couple of things you can look at relating to improving your security and additional security tools you should consider.
http://computercops.biz/postt7736.html
http://www.pcstats.com/articleview.cfm?articleID=1579
Another thing that can help is a hosts file. (Understand that that is susceptible to hijacking too.) Some comments by texruss here:
http://www.russelltexas.com/malware/HOSTS.htm
Now-should you decide to reformat-2 things I would STRONGLY urge you to consider.
1) Create two partitions instead of one. Use one for programs and one for data. Then in cases like this where you need to find and back up your data, it is much easier.
2) Get an image program such as Norton Ghost to image your install. (Ghost can be purchased as a standalone program or it is included in Systemworks PROFESSIONAL. I don't know how far back on versions you can go to be compatible with XP, but it is possible to pick up outdated versions reasonably on eBay.) You will spend a lot of time getting everything set up now, but if you then make an image, AND if the programs are on a separate partition so you do not have to worry about overwriting data, you can just restore an image and change data file locations in each application to look at the data partion you have set up and you are ready to go.
(This is generic system advice-I don't know to what extent working with a Dell and its specialized restore stuff would change it.)
As long as you update your program partition image when you add new applications, you then have a relatively easy restore method to deal with situations like the one you are in now.
Reference for ghost
http://ghost.radified.com/ghost_1.htm
Regards.
cg
jc11gurl
44 Posts
0
September 9th, 2004 19:00
*Sarah*