Hijack this log info

wilson · #1 16-09-05, 16:00

Logfile of HijackThis v1.99.1
Scan saved at 15:52:44, on 16/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSOLE32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\ONSPEED\GUI_RESOURCE.DLL/328
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\ONSPEED\GUI_RESOURCE.DLL/327
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe

Which files do I delete please.

bricat · #2 18-09-05, 20:10

Welcome to the Webuser forum. [img]/forums/images/graemlins/laugh.gif[/img]

Step 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download SmitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions here.
Otherwise, check for updates and download any new reference files before closing the program. We'll use it in Safe Mode later.

Step 2

Next, please reboot your computer in Safe Mode - Very Important !!

Run HJT again and checkmark the boxes next to the following:-

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe

Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked

Step 3 

Open the SmitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Step 4

Open Ad-aware and do a full system scan. Remove all it finds.

Step 5

Next go to your Control Panel and click Display | Desktop | Customise Desktop | Website | Uncheck "Security Info" if present.
Remove the check by "View my Active desktop as a web page".

Click OK then Apply and OK.

Reboot back into Windows and click the Panda ActiveScan shortcut, and do a full system scan.

Save the scan log and post it along with a new HijackThis Log in your next reply to THIS thread. Let me know if any problems persist.

wilson · #3 22-09-05, 14:02

Please Find enclosed the Panda Active Scan, and Hi Jack this Scan logs.
I would also mention that the Ad-Aware Scan I did Prior to these scans failed to delete the four files below,
C:\RESTORE\TEMP\A0011593-1
C:\RESTORE\TEMP\A0011594-1
C:\RESTORE\TEMP\A0011595-1
C:\RESTORE\TEMP\A0033806.CPY

Do I have to keep the SmitRem folder on my computer now this has been done?

Panda active scan Log:

Incident Status Location

Adware:adware/ilookup No disinfected C:\PROGRAM FILES\COMMON FILES\svchost.exe
Adware:adware/gator No disinfected C:\GatorPatch.log
Adware:adware/easysearch No disinfected C:\WINDOWS\iau.exe
Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\em-meuk.exe
Dialer

ialer.BAZ No disinfected C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
Dialer

ialer.BAZ No disinfected C:\WINDOWS\Downloaded Program Files\btwebcontrol.inf
Dialer

ialer.CMG No disinfected C:\WINDOWS\Downloaded Program Files\axfreeaccess.dll
Virus:Trj/MiniLD.C Disinfected C:\WINDOWS\iau.exe
Virus:Trj/MiniLD.C Disinfected C:\WINDOWS\msiau.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\stisvsq.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\csrss.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\winlogon.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\smssa.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\uvchost.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\taskmgr.dll
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\svshost.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\msqdevl.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\lssas.exe
Adware:Adware/Startpage.MP No disinfected C:\WINDOWS\mservice.exe
Possible Virus. No disinfected C:\Program Files\Common Files\svchost.exe
Adware:Adware/Noname No disinfected C:\Program Files\Internet Explorer\ybgdisuh.exe
Adware:Adware/Noname No disinfected C:\Program Files\Internet Explorer\ofyglegc.exe
Adware:Adware/Noname No disinfected C:\Program Files\Internet Explorer\txyomrdd.exe
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0011210.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011220.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011227.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011241.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011243.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011255.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011267.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011280.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011288.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A7271900.0
Spyware:Spyware/Zhopa No disinfected C:\_RESTORE\TEMP\A0011343.CPY
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\TEMP\A0011593.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011594.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011595.0
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022638.CPY
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022647.CPY
Virus:Trj/CLicker.IX Disinfected C:\_RESTORE\TEMP\A0035160.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036577.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036578.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004642.CPY]
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004644.CPY]
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005738.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005739.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005740.CPY]
Virus:Trj/Small.AG Disinfected C:\Recycled\1.exe
Virus:Trj/Downloader.KD Disinfected C:\explorer.cab
Dialer

ialer.OZ No disinfected C:\info6_s.cab[Information.exe]
Dialer

ialer.ZE No disinfected C:\info6_s.cab[Information_s.INF]
Hijack This Scan Log:
Logfile of HijackThis v1.99.1
Scan saved at 13:36:14, on 22/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunOnce: [Panda_cleaner_200631] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 200631
O4 - HKLM\..\RunOnce: [Panda_cleaner_204127] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 204127
O4 - HKLM\..\RunOnce: [Panda_cleaner_55601] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 55601
O4 - HKLM\..\RunOnce: [Panda_cleaner_202939] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 202939
O4 - HKLM\..\RunOnce: [Panda_cleaner_193413] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 193413
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab

bricat · #4 22-09-05, 14:17

Download Killbox from here.

Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:

C:\PROGRAM FILES\COMMON FILES\svchost.exe
C:\GatorPatch.log
C:\WINDOWS\Downloaded Program Files\em-meuk.exe
C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
C:\WINDOWS\Downloaded Program Files\btwebcontrol.inf
C:\WINDOWS\Downloaded Program Files\axfreeaccess.dll
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\csrss.dll
C:\WINDOWS\winlogon.dll
C:\WINDOWS\smssa.dll
C:\WINDOWS\uvchost.dll
C:\WINDOWS\taskmgr.dll
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Internet Explorer\ybgdisuh.exe
C:\Program Files\Internet Explorer\ofyglegc.exe
C:\Program Files\Internet Explorer\txyomrdd.exe
C:\info6_s.cab

Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

can you please go to WINDOWS UPDATE
and installALL critical updates. and click
HERE to get the latest IE.

then rerun the panda scan and post the log back here along with a fresh HJT log.

P.S just leave any programs i have asked you to download until we get your computer sorted it, there is still a lot of different infections there.

wilson · #5 22-09-05, 17:16

Here are The latest Panda Scan Log, & Hijackthis Log :
Incident Status Location

Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0011210.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011220.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011227.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011241.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011243.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011255.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0011267.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011280.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0011288.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A7271900.0
Spyware:Spyware/Zhopa No disinfected C:\_RESTORE\TEMP\A0011343.CPY
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\TEMP\A0011593.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011594.0
Adware:Adware/SearchAid No disinfected C:\_RESTORE\TEMP\A0011595.0
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022638.CPY
Virus:Trj/Cloak.C Disinfected C:\_RESTORE\TEMP\A0022647.CPY
Virus:Trj/CLicker.IX Disinfected C:\_RESTORE\TEMP\A0035160.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036577.CPY
Virus:Trj/MiniLD.C Disinfected C:\_RESTORE\TEMP\A0036578.CPY
Virus:Trj/Small.AG Disinfected C:\_RESTORE\TEMP\A0036587.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\SVCHOST.0
Possible Virus. No disinfected C:\_RESTORE\TEMP\EM-MEUK.0
Dialer

ialer.BAZ No disinfected C:\_RESTORE\TEMP\BTWEBC~1.0
Dialer

ialer.BAZ No disinfected C:\_RESTORE\TEMP\BTWEBC~1.1
Dialer

ialer.CMG No disinfected C:\_RESTORE\TEMP\AXFREE~1.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\STISVSQ.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\CSRSS.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\WINLOGON.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\SMSSA.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\UVCHOST.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\TASKMGR.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\SVSHOST.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\MSQDEVL.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\LSSAS.0
Adware:Adware/Startpage.MP No disinfected C:\_RESTORE\TEMP\MSERVICE.0
Adware:Adware/Noname No disinfected C:\_RESTORE\TEMP\YBGDISUH.0
Adware:Adware/Noname No disinfected C:\_RESTORE\TEMP\OFYGLEGC.0
Adware:Adware/Noname No disinfected C:\_RESTORE\TEMP\TXYOMRDD.0
Dialer

ialer.OZ No disinfected C:\_RESTORE\TEMP\INFO6_S.0[Information.exe]
Dialer

ialer.ZE No disinfected C:\_RESTORE\TEMP\INFO6_S.0[Information_s.INF]
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004642.CPY]
Adware:Adware/PsGuard No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0004644.CPY]
Adware:Adware/Startpage.VF No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005738.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005739.CPY]
Adware:Adware/SearchAid No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0005740.CPY]
Dialer

ialer.OZ No disinfected C:\!Submit\info6_s.cab[Information.exe]
Dialer

ialer.ZE No disinfected C:\!Submit\info6_s.cab[Information_s.INF]
Adware:Adware/Noname No disinfected C:\!Submit\txyomrdd.exe
Adware:Adware/Noname No disinfected C:\!Submit\ofyglegc.exe
Adware:Adware/Noname No disinfected C:\!Submit\ybgdisuh.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\mservice.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\lssas.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\msqdevl.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\svshost.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\taskmgr.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\uvchost.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\smssa.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\winlogon.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\csrss.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\stisvsq.exe
Dialer

ialer.CMG No disinfected C:\!Submit\axfreeaccess.dll
Dialer

ialer.BAZ No disinfected C:\!Submit\btwebcontrol.inf
Dialer

ialer.BAZ No disinfected C:\!Submit\btwebcontrol.dll
Possible Virus. No disinfected C:\!Submit\em-meuk.exe
Possible Virus. No disinfected C:\!Submit\svchost.exe Logfile of HijackThis v1.99.1
Scan saved at 16:57:01, on 22/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\MODEMLOCK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDCORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ONSPEED\ONSPEEDGUI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\ONSPEED\TOOLBAND.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "C:\PROGRAM FILES\BT YAHOO! INTERNET\WATCHDOG.EXE" -rk
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BT Modem Lock SVC] "C:\PROGRAM FILES\BT YAHOO! INTERNET\ModemLock.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunOnce: [Panda_cleaner_200631] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 200631
O4 - HKLM\..\RunOnce: [Panda_cleaner_204127] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 204127
O4 - HKLM\..\RunOnce: [Panda_cleaner_55601] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 55601
O4 - HKLM\..\RunOnce: [Panda_cleaner_202939] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 202939
O4 - HKLM\..\RunOnce: [Panda_cleaner_193413] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 193413
O4 - HKLM\..\RunOnce: [Panda_cleaner_100849] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 100849
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab

bricat · #6 22-09-05, 17:44

you didn't get the updates from microsoft.

once you've updated your IE to IE6 post a fresh HJT log

wilson · #7 23-09-05, 09:24

I am having trouble downloading the updates on IE6, and IE
I have tried to download these several times now at different times, and When they initialy load the microsoft page opens saying they have been successfully downloaded.
But then I reboot, I get a message saying that not all the files were loaded, and would I like continue to download.
I have done this twice with the same result.
I have also tried to download by starting again but with the same problem.
It gets to 93% of download, and comes up with same messages.
Is this being caused by the problems I already have?

bricat · #8 23-09-05, 12:30

disable system restore
run your anti virus,when you get the all clear restart your system restore.(same page).then create a new restore point.

to create restore point -

START>PROGRAMS>ACCESSORIES>SYSTEM TOOLS> hit SYSTEM RESTORE
& check the "create a restore point"

then post another panda scan log.

wilson · #9 23-09-05, 17:21

Latest Panda Atcive scan Log:

Incident Status Location

Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Dialer

ialer.OZ No disinfected C:\!Submit\info6_s.cab[Information.exe]
Dialer

ialer.ZE No disinfected C:\!Submit\info6_s.cab[Information_s.INF]
Adware:Adware/Noname No disinfected C:\!Submit\txyomrdd.exe
Adware:Adware/Noname No disinfected C:\!Submit\ofyglegc.exe
Adware:Adware/Noname No disinfected C:\!Submit\ybgdisuh.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\mservice.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\lssas.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\msqdevl.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\svshost.exe
Adware:Adware/Startpage.MP No disinfected C:\!Submit\taskmgr.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\uvchost.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\smssa.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\winlogon.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\csrss.dll
Adware:Adware/Startpage.MP No disinfected C:\!Submit\stisvsq.exe
Dialer

ialer.CMG No disinfected C:\!Submit\axfreeaccess.dll
Dialer

ialer.BAZ No disinfected C:\!Submit\btwebcontrol.inf
Dialer

ialer.BAZ No disinfected C:\!Submit\btwebcontrol.dll
Possible Virus. No disinfected C:\!Submit\em-meuk.exe
Possible Virus. No disinfected C:\!Submit\svchost.exe