View Full Version : Getting there!! Logs
I have spent the last day and 1/2 getting my system up and running ...... I noticed a pile of zip files in my shared limewire file that weren't mine. Clicked on one of them (first mistake) and spy sheriff started among other things -. ...black & blue screens, piles of popups, system shutdown, etc. As a result I came across your site and am up and running. However, I still have some problems and would like to clean everything up before reinstalling my anti-virus.
I have
- uninstalled all old java prgms
- downloaded and installed window updates
- run ad-aware, Spybot S&D, Panda, Spyware Doctor, Housecall and CCleaner numerous times
Thanks in advance for your help
SpyBot S&D and 2nd Hyjack log follow - post too long for others - may forward if necessary.
Incident Status Location
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\KEYBOARD21.dat
Adware:adware/webhancer Not disinfected C:\PROGRAM FILES\whInstall
Adware:adware/toprebates Not disinfected C:\PROGRAM FILES\WebRebates4
Adware:adware/powerscan Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\smitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\smitRem\Process.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\whInstall\whAgent.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\whInstall\whSurvey.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\whInstall\webhdll.dll
Adware:Adware/WebHancer Not disinfected C:\Program Files\whInstall\whiehlpr.dll
Adware:Adware/TopRebates Not disinfected C:\Program Files\Lime_Shop\Limeshop1.exe
Adware:Adware/TopRebates Not disinfected C:\Program Files\WebRebates4\webrebates.exe
Adware:Adware/TopRebates Not disinfected C:\Program Files\WebRebates4\w11150.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\temp\smitRem.exe[Process.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whiehlpr.dll]
Logfile of HijackThis v1.99.1
Scan saved at 9:06:35 PM, on 15/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSERVICE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\SPYBLOCKER.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\TWAIN_32\LGTWAIN\LGWAKEUP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=local host:1
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "sckr.com"); (C:\Program Files\Netscape\Users\pgreyell\prefs.js)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {cdad7655-4713-47ce-a804-37e0abdff379} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpyBlocker] C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SDService] C:\Program Files\SpywareDetector\SDService.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AES.EXE] C:\PROGRAM FILES\BACKUP2005 PRO\AES.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Logitech Wakeup.lnk = C:\WINDOWS\TWAIN_32\LGTWAIN\LGWAKEUP.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\My Download Files\Add.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\My Download Files\QuickSave.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\My Download Files\Search.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RF Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\MY DOWNLOAD FILES\SURFBAR.DLL (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com./pcpitstop/PCPitStop.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.67.253.195,24.67.253.212,192.168.1.1
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\MY DOWNLOAD FILES\AS_AIPP.DLL
Am able to send 1st Hijack log if required (too long for this post).
Thks in advance for your help.
CalamityJane
2006-03-17, 02:01
Hi Boris,
Could you go ahead and post the other log? I'm not sure if this is the current or the old log as it dated yesterday's date :scratch: .
Logfile of HijackThis v1.99.1
Scan saved at 9:06:35 PM, on 15/03/2006
Thks for helping - here is first Hijack log - also ran smitRem and panda if you would like me to forward?
Logfile of HijackThis v1.99.1
Scan saved at 7:27:35 PM, on 15/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSERVICE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\SPYBLOCKER.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\TWAIN_32\LGTWAIN\LGWAKEUP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=local host:1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "sckr.com"); (C:\Program Files\Netscape\Users\pgreyell\prefs.js)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {cdad7655-4713-47ce-a804-37e0abdff379} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpyBlocker] C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SDService] C:\Program Files\SpywareDetector\SDService.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AES.EXE] C:\PROGRAM FILES\BACKUP2005 PRO\AES.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Logitech Wakeup.lnk = C:\WINDOWS\TWAIN_32\LGTWAIN\LGWAKEUP.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\My Download Files\Add.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\My Download Files\QuickSave.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\My Download Files\Search.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RF Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\MY DOWNLOAD FILES\SURFBAR.DLL (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com./pcpitstop/PCPitStop.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.67.253.195,24.67.253.212,192.168.1.1
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\MY DOWNLOAD FILES\AS_AIPP.DLL
CalamityJane
2006-03-17, 03:25
Thks for helping - here is first Hijack log - also ran smitRem and panda if you would like me to forward?
Yes please, I would like those two as well.
Then, please do now a Scan and post a fresh log from HijackThis from today, just so I can be sure where you are right now :)
It's my pleasure to help Boris!
Hey CJ - thks again for helping - following are fresh logs.
smitRem © log file
version 2.8
by noahdfear
Windows Millennium [Version 4.90.3000]
Running from
C:\Program Files\smitRem\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~ wininet.dll ~~~~
wininet.dll Present!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~ wininet.dll ~~~~
wininet.dll Clean!! :)
Incident Status Location
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\KEYBOARD21.dat
Adware:adware/webhancer Not disinfected C:\PROGRAM FILES\whInstall
Adware:adware/powerscan Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\smitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\smitRem\Process.exe
Adware:Adware/TopRebates Not disinfected C:\Program Files\Lime_Shop\Limeshop1.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\temp\smitRem.exe[Process.exe]
Adware:Adware/Deskwizz Not disinfected C:\DR140306.exe
Logfile of HijackThis v1.99.1
Scan saved at 12:52:17 PM, on 17/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSERVICE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMA32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMB32.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FCH32.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSBWSYS.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FAMEH32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSQH.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSGK32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSRW.EXE
C:\PROGRAM FILES\SHAW SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSSM32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSAV32.EXE
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\SPYBLOCKER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\ISPNEWS.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSM32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSGUIDLL.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\FSAW.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSPEX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=local host:1
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "sckr.com"); (C:\Program Files\Netscape\Users\pgreyell\prefs.js)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {cdad7655-4713-47ce-a804-37e0abdff379} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABTB.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpyBlocker] C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [News Service] "C:\PROGRAM FILES\SHAW SECURE\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\SHAW SECURE\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\SHAW SECURE\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SDService] C:\Program Files\SpywareDetector\SDService.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\SHAW SECURE\Common\FSMA32.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AES.EXE] C:\PROGRAM FILES\BACKUP2005 PRO\AES.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SuperAdBlocker] C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\My Download Files\Add.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\My Download Files\QuickSave.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\My Download Files\Search.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\PROGRAM FILES\WEBREBATES4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: &Block this popup - C:\PROGRAM FILES\SHAW SECURE\Anti-Spyware\blockpopups.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RF Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\MY DOWNLOAD FILES\SURFBAR.DLL (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com./pcpitstop/PCPitStop.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.67.253.195,24.67.253.212,192.168.1.1
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\MY DOWNLOAD FILES\AS_AIPP.DLL
O20 - Winlogon Notify: SABWinLogon - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABWINLO.DLL
System still acting up and reallllllllly slow - thoughts??
You guys deserve metals!!
CalamityJane
2006-03-17, 23:40
System still acting up and reallllllllly slow - thoughts??
Well, we haven't done anything yet :D
Hold on for a few minutes while I review these logs and write up some steps for you to follow :bigthumb:
CalamityJane
2006-03-18, 00:08
There isn't a whole lot in the log to deal with. It would be best if you temporarily disable your security software while "fixing" with HijackThis. If something squawks while making this fix, please *allow* any changes.
First, Webrebates is Adware. If you did not install this on purpose, please go to your Control Panel and look in Add/remove programs and uninstall it from there. You may afterwards also delete the following folder (if present)
C:\PROGRAM FILES\WEBREBATES4
Scan with HijackThis and checkmark the following items in the list and then press the *fix checked* button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {cdad7655-4713-47ce-a804-37e0abdff379} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
Delete these files found by Panda:
C:\WINDOWS\uniq
C:\WINDOWS\KEYBOARD21.dat
C:\PROGRAM FILES\whInstall
C:\DR140306.exe
Reboot your PC. Scan again with HijackThis and post a fresh log please.
If you are still seeing problems I need to know exactly what they are.
Hey CJ - Thks - Followed your instructions - just ran a new hijack log and it follows. Re problems I still have - first of all - am really close and can certainly run with how things are now but......
--every start up starts with scandisk - using standard shutdown and restart. It just keeps on scanning - would go on forever so I just cancel and continue but it takes time and is annoying.
--First message on startup is "can't find ibm 00003.exe"
Keeps freezing when more than a couple of programs are open with program windows on top of each other and looks kinda like an x-ray - only way I can get --out (task mgr won't work) is to power off and start all over again (over and over)
-- only 1 time out of 10 will system completely shut down - just hangs after shutdown with a blue screen and the hour glass blinking.
--system also running pretty slow compared to before
again ..... I can live with it - you've got alot more members with more serious issues than mine now.
I appreciate your help and keep up the good work..... Thank you!
Oh, I fixed those toolbars with hijack but I see they are back...
Logfile of HijackThis v1.99.1
Scan saved at 9:20:50 AM, on 18/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSERVICE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMA32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMB32.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FCH32.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSBWSYS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SHAW SECURE\COMMON\FAMEH32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSQH.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSGK32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSRW.EXE
C:\PROGRAM FILES\SHAW SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSSM32.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSAV32.EXE
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\SPYBLOCKER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\ISPNEWS.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSM32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSGUIDLL.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\FSAW.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSPEX.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSYSTEMTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=local host:1
N1 - Netscape 4: user_pref("browser.startup.homepage", "sckr.com"); (C:\Program Files\Netscape\Users\pgreyell\prefs.js)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABTB.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {cdad7655-4713-47ce-a804-37e0abdff379} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpyBlocker] C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [News Service] "C:\PROGRAM FILES\SHAW SECURE\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\SHAW SECURE\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\SHAW SECURE\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SDService] C:\Program Files\SpywareDetector\SDService.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\SHAW SECURE\Common\FSMA32.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AES.EXE] C:\PROGRAM FILES\BACKUP2005 PRO\AES.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SuperAdBlocker] C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\My Download Files\Add.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\My Download Files\QuickSave.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\My Download Files\Search.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\PROGRAM FILES\WEBREBATES4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: &Block this popup - C:\PROGRAM FILES\SHAW SECURE\Anti-Spyware\blockpopups.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RF Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\MY DOWNLOAD FILES\SURFBAR.DLL (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com./pcpitstop/PCPitStop.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.67.253.195,24.67.253.212,192.168.1.1
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\MY DOWNLOAD FILES\AS_AIPP.DLL
O20 - Winlogon Notify: SABWinLogon - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABWINLO.DLL
CalamityJane
2006-03-18, 21:50
Hi Boris,
Those fixes with HJT did not take because of your other security software blocking these fixes.
It would be best if you temporarily disable your security software while "fixing" with HijackThis. If something squawks while making this fix, please *allow* any changes.
I can give you the instruction for how to disable Spybot teatimer but the others, I don't know (Spyblocker, SPYWAREDETECTOR, F-Secure etc.)
Spybot TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
So disable all of those programs you have running and try the fixes I listed above using Hijackthis, reboot and scan again to post a fresh log.
Don't forget to re-enable them once you are able to get those HJT fixes to take.
.............................
I would also like to see the following addition logs:
1. Open HijackThis and choose *Open Misc Tools Section*
At the top of that page you will a section entitled Startup List. Please checkmark the two boxes in that section and press the *Generate Startup Log*. Post the results of that log back here.
2. Open Hijackthis and choose *Open Misc Tools Section* then choose *Open Uninstall Manager* from the System Tools section. That will make a list of installed programs. Please press the *Save list* button and copy that back here as well.
HeyCJ - that took me a bit - the reason the fixes wouldn't take (I think) is because I'd accidently blocked (rather than allowed) the changes and also clicked the remember this decision - (I tried that fix to get the buttons to light up but it didn't work) sometimes I mix up the buttons - I saw another post re the fix so will tackle that when I get this stuff done.
So here is the latest Hijack log with the fixes fixed!! Yes!
Logfile of HijackThis v1.99.1
Scan saved at 3:33:32 PM, on 18/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSERVICE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMA32.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMB32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FCH32.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSBWSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSQH.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FAMEH32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSGK32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSRW.EXE
C:\PROGRAM FILES\SHAW SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSSM32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSAV32.EXE
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\SPYBLOCKER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\ISPNEWS.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSM32.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSGUIDLL.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\FSAW.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSPEX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=local host:1
N1 - Netscape 4: user_pref("browser.startup.homepage", "sckr.com"); (C:\Program Files\Netscape\Users\pgreyell\prefs.js)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABTB.DLL
O4 - HKLM\..\Run: [SpyBlocker] C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [News Service] "C:\PROGRAM FILES\SHAW SECURE\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\SHAW SECURE\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\SHAW SECURE\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SDService] C:\Program Files\SpywareDetector\SDService.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\SHAW SECURE\Common\FSMA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AES.EXE] C:\PROGRAM FILES\BACKUP2005 PRO\AES.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SuperAdBlocker] C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\My Download Files\Add.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\My Download Files\QuickSave.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\My Download Files\Search.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\PROGRAM FILES\WEBREBATES4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: &Block this popup - C:\PROGRAM FILES\SHAW SECURE\Anti-Spyware\blockpopups.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RF Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\MY DOWNLOAD FILES\SURFBAR.DLL (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com./pcpitstop/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.67.253.195,24.67.253.212,192.168.1.1
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\MY DOWNLOAD FILES\AS_AIPP.DLL
O20 - Winlogon Notify: SABWinLogon - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABWINLO.DLL
Hijack Startup Log to follow
uninstall list
Abacast Client
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe PhotoDeluxe 1.0
Adobe Reader 6.0.1
ASTRA32 - Advanced System Information Tool 1.30
Backup Dell-Installed Programs
Backup2005 Pro
BJ Printer Driver
Canon Camera WIA Driver 6.2.5
CCleaner (remove only)
CeQuadrat just!audio
CeQuadrat WinOnCD 3.6
Click'N Burn Pro 2.0 (English)
ClipMate 5.1
Copernic Desktop Search
DAO 3.5
DART CD-Recorder 4
Dell ResourceCD
Dell Solution Center
DellTouch
Easy CD Creator 5 Platinum
EasyCleaner
EasyCleaner
Family Tree Maker
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hijackthis 1.99.1
ImageDrive (ahead software)
Intel Ultra ATA Storage Driver
Internet Client 2.4
Internet Explorer Q891781
InterVideo WinDVD
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
LimeWire
LimeWire 4.9.33
LiveReg (Symantec Corporation)
LMReaders
Logitech PageScan Color Pro
Macromedia Shockwave Player
MapSource - Americas BlueChart v5.5
MapSource - Trip & Waypoint Manager v2
Micro Logic Info Select 6.0
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2001
Microsoft IntelliPoint
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Outlook Express 5
Microsoft Picture It! Publishing 2001
Microsoft PowerPoint Viewer 97
Microsoft VGX Q833989
Microsoft Web Publishing Wizard 1.6
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
mIRC
MoodLogic
Mozilla Firefox (1.5.0.1)
Mozilla Thunderbird (1.5)
Multimedia Typing Teacher v1.00
MusicMatch Jukebox
Nero - Burning Rom (Web installer)
NetMos Multi-IO Controller
NVIDIA Windows 95/98/ME Display Drivers
Panda ActiveScan
Picasa 2
PowerArchiver 2004 v9.25
Print Workshop 2005
PrintMaster Gold 7.1.1
PRO200WL
Quicken Home & Business 99
QuickTax 2004
QuickTax 2005
Readiris Pro 8 Demo
RealOne Player
Remote Desktop Connection
Remote Desktop Connection
Rescue Disk
Seagate Backup Exec for Windows 9x/NT 4.01 (OEM)
Shareaza version 2.2.1.0
Shaw Secure
Shockwave
Simply Safe Backup Free Edition
SolSuite
Sound Blaster Live! Value
Spybot - Search & Destroy 1.4
Spyware Detector
Spyware Doctor 3.5
Super Ad Blocker
TreeSize 1.75
User's Guides
Winamp (remove only)
Windows Millennium Edition KB891711 Update
Windows Millennium Edition Q823559 Update
Windows Registry Guide
and next startup list
And last - Hijact Startup Log
StartupList report, 18/03/2006, 3:56:44 PM
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SPYWAREDETECTOR\SDSERVICE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMA32.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSMB32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FCH32.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSBWSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSQH.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FAMEH32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSGK32.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSRW.EXE
C:\PROGRAM FILES\SHAW SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSSM32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-VIRUS\FSAV32.EXE
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\SPYBLOCKER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\ISPNEWS.EXE
C:\PROGRAM FILES\SHAW SECURE\COMMON\FSM32.EXE
C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSGUIDLL.EXE
C:\PROGRAM FILES\SHAW SECURE\ANTI-SPYWARE\FSAW.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SHAW SECURE\BACKWEB\3875767\PROGRAM\FSPEX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SpyBlocker = C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
SystemTray = SysTray.Exe
Speed racer = C:\Program Files\Creative\PlayCenter\CTSRReg.exe
MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
News Service = "C:\PROGRAM FILES\SHAW SECURE\FSGUI\ispnews.exe"
F-Secure Manager = "C:\PROGRAM FILES\SHAW SECURE\Common\FSM32.EXE" /splash
F-Secure Startup Wizard = "C:\PROGRAM FILES\SHAW SECURE\FSGUI\FSSW.EXE" /reboot
F-Secure TNB = "C:\PROGRAM FILES\SHAW SECURE\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SDService = C:\Program Files\SpywareDetector\SDService.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
SchedulingAgent = mstask.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
F-Secure Management Agent = C:\PROGRAM FILES\SHAW SECURE\Common\FSMA32.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AES.EXE = C:\PROGRAM FILES\BACKUP2005 PRO\AES.EXE
Spyware Doctor = "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
SuperAdBlocker = C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
SpybotSD TeaTimer = C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
[AutorunsDisabled]
Limeshop0 = "C:\PROGRAM FILES\LIME_SHOP\Limeshop0.exe"
webrebates = "C:\PROGRAM FILES\WEBREBATES4\WEBREBATES.EXE"
winupdates = C:\Program Files\winupdates\winupdates.exe /auto
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = C:\WINDOWS\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf
[PerUser_CVT_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf
[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
[PerUser_HNW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf
[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L
[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
[PerUser_PCHealth] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
[PerUser_dxxspace_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf
[PerUser_ZoneGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf
[PerUser_PBGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf
[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
[PerUser_Sysmon_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf
[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf
[PerUser_netwatch_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf
[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\WINDOWS\INF\appletpp.inf
[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
[MmoptMusicaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf
[MmoptJunglePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf
[MmoptRobotzPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf
[MmoptUtopiaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[OlsProdigyPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf
[OlsEarthlinkPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf
[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf
[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf
[PerUser_Preptool] *
StubPath = rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF
[^RNA] *
StubPath = rundll rnasetup.dll,installoptionalcomponent rna
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub
[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe
[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf
[PerUser_ICS_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICS_Inis 64 C:\WINDOWS\INF\ics.inf
[>{8CC2FDC0-0C5D-11D7-AD8E-0050DA87D0EB}S25425] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[PerUser_moviemaker] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf
[PerUser_Enable_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf
[OlsAolPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf
[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
[OlsAttPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf
[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
[PerUser_CharMap_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf
[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf
[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf
[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe
[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
Next half to follow.... this must mean it's far too long
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=
run=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=explorer.exe ibm00003.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
C:\WINDOWS\WININIT.INI listing:
*File not found*
--------------------------------------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 18/3/2006, 12:53:24)
[Rename]
NUL=C:\WINDOWS\TEMP\OLD5161.TMP
--------------------------------------------------
C:\AUTOEXEC.BAT listing:
SET PATH=C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
--------------------------------------------------
C:\CONFIG.SYS listing:
*File is empty*
--------------------------------------------------
C:\WINDOWS\WINSTART.BAT listing:
C:\WINDOWS\tmpcpyis.bat
--------------------------------------------------
C:\WINDOWS\DOSSTART.BAT listing:
echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SuperAdBlockerBHO Class - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL - {00000000-6C30-11D8-9363-000AE6309654}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job
Scheduled scanning task.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Spybot - Search & Destroy - Scheduled Task.job
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.4553472222
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com./pcpitstop/PCPitStop.CAB
[{32564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
[{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
--------------------------------------------------
Enumerating Win9x VxD services:
VNETSUP: vnetsup.vxd
VPOWERD: *VPOWERD
NDIS: ndis.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *MTRR
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
SYMTDI: SYMTDI.VXD
VSERVER: (no file)
NDISWAN: ndiswan.vxd
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 28,967 bytes
Report generated in 0.154 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Again ---- Thks for your help....
CalamityJane
2006-03-23, 22:31
Hi Boris,
I missed seeing your reply here! I hope you see this.
In HijackThis, please scan and then checkmark this item, then press the *fix checked* button:
O4 - HKLM\..\Run: [SpyBlocker] C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM\CRACK\spyblocker.exe
Delete this folder:
C:\DOWNLOADS\SPYBLOCKER.V8.8.WINALL.CRACKED-BM
..................................
Next:
1. Click Start, and click Run.
2. Copy and paste in the box the following text, and then click OK.
edit c:\windows\system.ini
The MS-DOS Editor opens.
NOTE: If Windows is installed in a different location, make the appropriate path substitution.
3. In the section of the file, look for a line similar to the following:
[b]shell = explorer.exe ibm00003.exe
4. If it exists, delete this from that line: ibm00003.exe. When you have finished, only shell = explorer.exe should remain.
5. Click File, and click Save.
6. Click File, and click Exit.
..............
Delete these two folders (if found):
C:\PROGRAM FILES\WEBREBATES4
C:\Program Files\winupdates
Are you seeing any other problems at this point?
CalamityJane
2006-03-23, 23:01
I almost forgot to add some very important information you need to know. That ibm0003.exe is a known password stealer and a keylogger and you need to take appropriate steps to safeguard any sensitive information that may have been on that computer - change ALL your passwords to any accounts.
There are several variants of this trojan but you need to be aware of what it can do:
http://www.sophos.com/virusinfo/analyses/trojtorpigg.html
Name Troj/Torpig-G
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Agent.bu
* PWS-JA
.............................
Additional information:
Troj/Torpig-G is an information stealing Trojan for the Windows platform.
When Troj/Torpig-G is run some or all of the following files are created either in the folder C:\Program Files\Common Files\Microsoft Shared\Web Folders or in the folder <Windows system folder>\..\temp:
ibm00003.dll
ibm00001.exe
ibm00004.dll
<random>.tmp
The file ibm00001.exe is detected is Troj/Torpig-D. The file <random>.tmp is a clean data file. All other files are detected as Troj/Torpig-G.
The following registry entry is created to run ibm00001.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<path to ibm00001.exe>
The following registry entry may be created to run ibm00001.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<path to ibm00001.exe>"
An entry may be added to the file SYSTEM.INI in the "boot" section with a key name of "shell" to attempt to run ibm00001.exe on startup.
The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.
Troj/Torpig-G automatically closes security warning messages displayed by common anti-virus and security related applications.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
This topic will now be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.