wilson
(regular)
Fri Sep 16 2005 04:00 PM
Hijack this log info

Logfile of HijackThis v1.99.1
Scan saved at 15:52:44, on 16/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSOLE32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\ONSPEED\GUI_RESOURCE.DLL/328
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\ONSPEED\GUI_RESOURCE.DLL/327
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe

Which files do I delete please.

bricat
(HijackThis Helper)
Sun Sep 18 2005 08:10 PM
Re: Hijack this log info

Welcome to the Webuser forum.



Step 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download SmitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.



If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions here.
Otherwise, check for updates and download any new reference files before closing the program. We'll use it in Safe Mode later.


Step 2

Next, please reboot your computer in Safe Mode - Very Important !!

Run HJT again and checkmark the boxes next to the following:-


O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe


Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked


Step 3

Open the SmitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Step 4

Open Ad-aware and do a full system scan. Remove all it finds.

Step 5


Next go to your Control Panel and click Display | Desktop | Customise Desktop | Website | Uncheck "Security Info" if present.
Remove the check by "View my Active desktop as a web page".

Click OK then Apply and OK.


Reboot back into Windows and click the Panda ActiveScan shortcut, and do a full system scan.

Save the scan log and post it along with a new HijackThis Log in your next reply to THIS thread. Let me know if any problems persist.

wilson
(regular)
Thu Sep 22 2005 02:02 PM
Re: Hijack this log info

Please Find enclosed the Panda Active Scan, and Hi Jack this Scan logs.
I would also mention that the Ad-Aware Scan I did Prior to these scans failed to delete the four files below,
C:\RESTORE\TEMP\A0011593-1
C:\RESTORE\TEMP\A0011594-1
C:\RESTORE\TEMP\A0011595-1
C:\RESTORE\TEMP\A0033806.CPY

Do I have to keep the SmitRem folder on my computer now this has been done?

Panda active scan Log:

Incident Status Location

Adware:adware/ilookup No disinfected C:\PROGRAM FILES\COMMON FILES\svchost.exe
Adware:adware/gator No disinfected C:\GatorPatch.log
Adware:adware/easysearch No disinfected C:\WINDOWS\iau.exe
Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\em-meuk.exe
Dialer:Dialer.BAZ No disinfected C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
Dialer:Dialer.BAZ No disinfected C:\WINDOWS\Downloaded Program Files\btwebcontrol.inf
Dialer:Dialer.CMG No disinfected C:\WINDOWS\Downloaded Program Files\axfreeaccess.dll
Virus:Trj/MiniLD.C Disinfected C:\WINDOWS\iau.exe
Virus:Trj/MiniLD.C Disinfected C:\WINDOWS\msiau.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\stisvsq.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\csrss.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\winlogon.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\smssa.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\uvchost.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\taskmgr.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\svshost.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\msqdevl.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\lssas.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\mservice.exe
Possible Virus. No disinfected C:\Program Files\Common Files\svchost.exe
Adware:Adware/Noname No disinfected C:\Program Files\Internet Explorer\ybgdisuh.exe
Adware:Adware/Noname No disinfected C:\Program Files\Internet Explorer\ofyglegc.exe
Adware:Adware/Noname No disinfected C:\Program Files\Internet Explorer\txyomrdd.exe
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0011210.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011220.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011227.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011241.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011243.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011255.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011267.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011280.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011288.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A7271900.0
Spyware:Spyware/Zhopa No disinfected C:\_RESTORE\TEMP\A0011343.CPY
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\TEMP\A0011593.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011594.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011595.0
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022638.CPY
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022647.CPY
Virus:Trj/CLicker.IX Disinfected C:\_RESTORE\TEMP\A0035160.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036577.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036578.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004642.CPY]
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004644.CPY]
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005738.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005739.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005740.CPY]
Virus:Trj/Small.AG Disinfected C:\Recycled\1.exe
Virus:Trj/Downloader.KD Disinfected C:\explorer.cab
Dialer:Dialer.OZ No disinfected C:\info6_s.cab[Information.exe]
Dialer:Dialer.ZE No disinfected C:\info6_s.cab[Information_s.INF]
Hijack This Scan Log:
Logfile of HijackThis v1.99.1
Scan saved at 13:36:14, on 22/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunOnce: [Panda_cleaner_200631] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 200631
O4 - HKLM\..\RunOnce: [Panda_cleaner_204127] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 204127
O4 - HKLM\..\RunOnce: [Panda_cleaner_55601] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 55601
O4 - HKLM\..\RunOnce: [Panda_cleaner_202939] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 202939
O4 - HKLM\..\RunOnce: [Panda_cleaner_193413] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 193413
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

bricat
(HijackThis Helper)
Thu Sep 22 2005 02:17 PM
Re: Hijack this log info

Download Killbox from here.

Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:

C:\PROGRAM FILES\COMMON FILES\svchost.exe
C:\GatorPatch.log
C:\WINDOWS\Downloaded Program Files\em-meuk.exe
C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
C:\WINDOWS\Downloaded Program Files\btwebcontrol.inf
C:\WINDOWS\Downloaded Program Files\axfreeaccess.dll
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\csrss.dll
C:\WINDOWS\winlogon.dll
C:\WINDOWS\smssa.dll
C:\WINDOWS\uvchost.dll
C:\WINDOWS\taskmgr.dll
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Internet Explorer\ybgdisuh.exe
C:\Program Files\Internet Explorer\ofyglegc.exe
C:\Program Files\Internet Explorer\txyomrdd.exe
C:\info6_s.cab

Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


can you please go to WINDOWS UPDATE
and installALL critical updates. and click
HERE to get the latest IE.


then rerun the panda scan and post the log back here along with a fresh HJT log.

P.S just leave any programs i have asked you to download until we get your computer sorted it, there is still a lot of different infections there.

wilson
(regular)
Thu Sep 22 2005 05:16 PM
Re: Hijack this log info

Here are The latest Panda Scan Log, & Hijackthis Log :
Incident Status Location

Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0011210.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011220.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011227.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011241.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011243.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011255.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011267.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011280.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011288.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A7271900.0
Spyware:Spyware/Zhopa No disinfected C:\_RESTORE\TEMP\A0011343.CPY
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\TEMP\A0011593.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011594.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011595.0
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022638.CPY
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022647.CPY
Virus:Trj/CLicker.IX Disinfected C:\_RESTORE\TEMP\A0035160.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036577.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036578.CPY
Virus:Trj/Small.AG Disinfected C:\_RESTORE\TEMP\A0036587.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\SVCHOST.0
Possible Virus. No disinfected C:\_RESTORE\TEMP\EM-MEUK.0
Dialer:Dialer.BAZ No disinfected C:\_RESTORE\TEMP\BTWEBC~1.0
Dialer:Dialer.BAZ No disinfected C:\_RESTORE\TEMP\BTWEBC~1.1
Dialer:Dialer.CMG No disinfected C:\_RESTORE\TEMP\AXFREE~1.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\STISVSQ.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\CSRSS.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\WINLOGON.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\SMSSA.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\UVCHOST.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\TASKMGR.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\SVSHOST.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\MSQDEVL.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\LSSAS.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\MSERVICE.0
Adware:Adware/Noname No disinfected C:\_RESTORE\TEMP\YBGDISUH.0
Adware:Adware/Noname No disinfected C:\_RESTORE\TEMP\OFYGLEGC.0
Adware:Adware/Noname No disinfected C:\_RESTORE\TEMP\TXYOMRDD.0
Dialer:Dialer.OZ No disinfected C:\_RESTORE\TEMP\INFO6_S.0[Information.exe]
Dialer:Dialer.ZE No disinfected C:\_RESTORE\TEMP\INFO6_S.0[Information_s.INF]
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004642.CPY]
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004644.CPY]
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005738.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005739.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005740.CPY]
Dialer:Dialer.OZ No disinfected C:\!Submit\info6_s.cab[Information.exe]
Dialer:Dialer.ZE No disinfected C:\!Submit\info6_s.cab[Information_s.INF]
Adware:Adware/Noname No disinfected C:\!Submit\txyomrdd.exe
Adware:Adware/Noname No disinfected C:\!Submit\ofyglegc.exe
Adware:Adware/Noname No disinfected C:\!Submit\ybgdisuh.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\mservice.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\lssas.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\msqdevl.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\svshost.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\taskmgr.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\uvchost.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\smssa.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\winlogon.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\csrss.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\stisvsq.exe
Dialer:Dialer.CMG No disinfected C:\!Submit\axfreeaccess.dll
Dialer:Dialer.BAZ No disinfected C:\!Submit\btwebcontrol.inf
Dialer:Dialer.BAZ No disinfected C:\!Submit\btwebcontrol.dll
Possible Virus. No disinfected C:\!Submit\em-meuk.exe
Possible Virus. No disinfected C:\!Submit\svchost.exe Logfile of HijackThis v1.99.1
Scan saved at 16:57:01, on 22/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunOnce: [Panda_cleaner_200631] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 200631
O4 - HKLM\..\RunOnce: [Panda_cleaner_204127] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 204127
O4 - HKLM\..\RunOnce: [Panda_cleaner_55601] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 55601
O4 - HKLM\..\RunOnce: [Panda_cleaner_202939] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 202939
O4 - HKLM\..\RunOnce: [Panda_cleaner_193413] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 193413
O4 - HKLM\..\RunOnce: [Panda_cleaner_100849] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 100849
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

bricat
(HijackThis Helper)
Thu Sep 22 2005 05:44 PM
Re: Hijack this log info

you didn't get the updates from microsoft.

once you've updated your IE to IE6 post a fresh HJT log

wilson
(regular)
Fri Sep 23 2005 09:24 AM
Re: Hijack this log info

I am having trouble downloading the updates on IE6, and IE
I have tried to download these several times now at different times, and When they initialy load the microsoft page opens saying they have been successfully downloaded.
But then I reboot, I get a message saying that not all the files were loaded, and would I like continue to download.
I have done this twice with the same result.
I have also tried to download by starting again but with the same problem.
It gets to 93% of download, and comes up with same messages.
Is this being caused by the problems I already have?

bricat
(HijackThis Helper)
Fri Sep 23 2005 12:30 PM
Re: Hijack this log info

disable system restore
run your anti virus,when you get the all clear restart your system restore.(same page).then create a new restore point.

to create restore point -

START>PROGRAMS>ACCESSORIES>SYSTEM TOOLS> hit SYSTEM RESTORE
& check the "create a restore point"


then post another panda scan log.

wilson
(regular)
Fri Sep 23 2005 05:21 PM
Re: Hijack this log info

Latest Panda Atcive scan Log:

Incident Status Location

Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Dialer:Dialer.OZ No disinfected C:\!Submit\info6_s.cab[Information.exe]
Dialer:Dialer.ZE No disinfected C:\!Submit\info6_s.cab[Information_s.INF]
Adware:Adware/Noname No disinfected C:\!Submit\txyomrdd.exe
Adware:Adware/Noname No disinfected C:\!Submit\ofyglegc.exe
Adware:Adware/Noname No disinfected C:\!Submit\ybgdisuh.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\mservice.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\lssas.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\msqdevl.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\svshost.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\taskmgr.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\uvchost.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\smssa.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\winlogon.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\csrss.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\stisvsq.exe
Dialer:Dialer.CMG No disinfected C:\!Submit\axfreeaccess.dll
Dialer:Dialer.BAZ No disinfected C:\!Submit\btwebcontrol.inf
Dialer:Dialer.BAZ No disinfected C:\!Submit\btwebcontrol.dll
Possible Virus. No disinfected C:\!Submit\em-meuk.exe
Possible Virus. No disinfected C:\!Submit\svchost.exe

bricat
(HijackThis Helper)
Fri Sep 23 2005 06:00 PM
Re: Hijack this log info

go to C:\Submit and delete everything in the folder.


then post a fresh HJT log. (try the update site again)

wilson
(regular)
Fri Sep 23 2005 07:50 PM
Re: Hijack this log info

Logfile of HijackThis v1.99.1
Scan saved at 19:48:21, on 23/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O8 - Extra context menu item: Show Original Image - <a href="res://C:\PROGRAM" target="_blank">res://C:\PROGRAM</a> FILES\ONSPEED\GUI_RESOURCE.DLL/328
O8 - Extra context menu item: Show All Original Images - <a href="res://C:\PROGRAM" target="_blank">res://C:\PROGRAM</a> FILES\ONSPEED\GUI_RESOURCE.DLL/327
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

I have tried to download IE update again twice,
It still gets to 93% then cuts to message saying it was unable to download
all components please reboot and try again.
I have rebooted, and I have tried again twice with the same message both times without success.

bricat
(HijackThis Helper)
Sat Sep 24 2005 10:15 PM
Re: Hijack this log info

we're going to have to dig a bit deeper.

Please download SILENTRUNNERS.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

wilson
(regular)
Sun Sep 25 2005 12:12 PM
Re: Hijack this log info

This is the silentrunner Log:
I appreciate your help.
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CountrySelection" = "pctptt.exe" ["PCtel, Inc."]
"PTSNOOP" = "ptsnoop.exe" ["PCtel, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"BTopenworld" = ""C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"BT Modem Lock" = ""C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk" ["British Telecommunications plc"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer" ["Symantec Corporation"]
"SlipStream" = ""C:\Program Files\ONSPEED\onspeedcore.exe"" ["SlipStream Data Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"BT Modem Lock SVC" = ""C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"" ["British Telecommunications plc"]
"ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
PerUser_Sysmeter_Inis\(Default) = "Windows Setup - System Meter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_CharMap_Inis\(Default) = "Windows Setup - Character Map"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{4115122B-85FF-4DD3-9515-F075BEDE5EB5}\(Default) = "PBlockHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL" ["SlipStream Data Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [MS]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\1866-3545-1698-17-09-05-1Z12-WEYMOUTH-RAMSGATE-ASHURST.jpg"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\THEGOL~2.SCR" (The Golden Era.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"ONSPEED" -> shortcut to: "C:\Program Files\ONSPEED\onspeedgui.exe" ["SlipStream Data Inc."]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.EXE /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]
"XoftSpy" -> launches: "C:\PROGRAM FILES\XOFTSPY\XoftSpy.exe -t" [file not found]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\PROGRAM FILES\ONSPEED\sliplsp.dll ["SlipStream Data Inc."], 01 - 05, 12
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 06
C:\WINDOWS\SYSTEM\msafd.dll [MS], 07 - 09
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 10 - 11


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{8B79EE88-E62D-4AA8-B530-CC357BA112B7}" = "ONSPEED" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL" ["SlipStream Data Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{8B79EE88-E62D-4AA8-B530-CC357BA112B7}" = "ONSPEED" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL" ["SlipStream Data Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 20 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
---------- (total run time: 79 seconds)

bricat
(HijackThis Helper)
Sun Sep 25 2005 06:56 PM
Re: Hijack this log info

in IE go to , tools\options\internet options\programs\ and click on "reset web settings".

wilson
(regular)
Mon Sep 26 2005 09:32 AM
Re: Hijack this log info

Ok This has been done.

bricat
(HijackThis Helper)
Mon Sep 26 2005 09:37 AM
Re: Hijack this log info

did you try to update IE again.

wilson
(regular)
Mon Sep 26 2005 12:26 PM
Re: Hijack this log info

I have tried to download windows update, & IE but it still wont load all the components as before.

bricat
(HijackThis Helper)
Mon Sep 26 2005 12:48 PM
Re: Hijack this log info

follow "W"'s instructions HERE.

let us know how you go.

wilson
(regular)
Mon Sep 26 2005 07:23 PM
Re: Hijack this log info

I am still not having any luck downloading IE & windows update.
I followed the instructions to move all files from IE to another file before trying again.
However I rebooted, and checked all files were transfered, & the original IE file was empty.
But I had the Connection Wizard file re appear, although this was also in the new seperate file.
I attempted to delete the old remaining file, and got a message saying I could not delete as the file was in use by another operation.
But nothing else was open to use it.
I have left all the files in the seperate file untill I hear from you.

bricat
(HijackThis Helper)
Mon Sep 26 2005 07:25 PM
Re: Hijack this log info

boot up in SAFE MODE

then delete that file.

wilson
(regular)
Tue Sep 27 2005 09:38 AM
Re: Hijack this log info

I have rebooted in safe mode, and tried to delete the connection wizard file
but It still wont let me.
Message says unable to delete as this file could be in use by another operation.

bricat
(HijackThis Helper)
Tue Sep 27 2005 10:03 AM
Re: Hijack this log info

is the updates the only problem you have with the computer.

wilson
(regular)
Tue Sep 27 2005 11:07 AM
Re: Hijack this log info

The system has slowed down now, when I try to connect to the internet ,
It wont connect to the opening Page BT Yahoo but states its failed to connect, but when I cancel the message it stays on line, so if I click on the IE icon on the toolbar it opens on the MSN homepage.
I suppose this is because I have moved the files as per yesterdays instructions.
I also now get a message when closing down that the BT modem lock cannot be locked due to a system failure, and to try rebooting.
I have done this on several occassions without making any difference, and getting the same message the next time I log off.

bricat
(HijackThis Helper)
Tue Sep 27 2005 12:18 PM
Re: Hijack this log info

try this :-

open Control Panel followed by Add Remove Progs.

Then remove the program BT Internet Connection Manager. This should do the trick.

wilson
(regular)
Tue Sep 27 2005 02:51 PM
Re: Hijack this log info

I have deleated BT internet connection Manager, which removed the icon BT Yahoo
from the desktop.
After going into the old files I transfered for IE, I managed to get back on to the internet.
I have tried to Update IE with the same result as before.

bricat
(HijackThis Helper)
Tue Sep 27 2005 04:39 PM
Re: Hijack this log info

I'm afraid this is getting out of my area now, i'm mainly involved with the malware side of it, and i have tried all the tricks that i know, it might be better if you posted in the "general forum" where some of the more techie types would probably be able to help you better. i've run out of ideas and this really isn't my strongest subject.

sorry i wasn't more help.

wilson
(regular)
Tue Sep 27 2005 05:14 PM
Re: Hijack this log info

Thanks for all your persistant help, I think its time I give it a break as I go on holiday tomorrow.
Can you just confirm how I need to repost this situation when I return.
I assume the priority would be to get IE updates to download, before I revert back to the Spyware problem that I had to start with?
I am very grateful for all your help, you can now go, and have a lie down in a dark room, with a stiff drink.
Thanks
Derek

bricat
(HijackThis Helper)
Tue Sep 27 2005 05:22 PM
Re: Hijack this log info

as far as i can tell there is no spyware\malware left on your computer, your last log was clean. has it reappeared. ?

wilson
(regular)
Tue Sep 27 2005 05:31 PM
Re: Hijack this log info

Not as far as Im aware, I just assumed it was still in operation due to all the problems.
But if you say its clear, then I am more than happy.
Thanks again
Derek

Contact Us | Privacy statement Main website

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts


Search

© Copyright IPC Media Limited 2009, All rights reserved