Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

Addware using Windows Media Player?

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Reply
 
LinkBack Thread Tools
Old 7th August 2005   #1
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
Exclamation Addware using Windows Media Player?
This machine has problems.

When I start it WMP comes on in full screen and plays video adds.

and anything to do with a web page youn can forget it.

The popups lock it up.

I managed to get HJT on and got the log though. I have HJT on a CD.

I have been running Adaware & Spybot, they always find things and they

always come back.

Please help.
HJT log file:
--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:50:24 PM, on 8/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\pglfsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\twhisj.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Bpt\bpt.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\WINNT\mcm\mcm3.exe
C:\WINNT\system32\system.mcm
C:\winnt\system32\msevnt.exe
C:\WINNT\wpwkenc.EXE
C:\winnt\system32\dxvid.exe
C:\WINNT\system32\arjllr.exe
C:\WINNT\system32\aj876b58.exe
C:\WINNT\system32\dmontvwr.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\snbfdll.EXE
C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\PROGRA~1\COMMON~1\ooiu\ooiua.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\program files\internet explorer\iexplore.exe
C:\HoJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application

Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [ws7P3qe] dmontvwr.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [umrcke] c:\winnt\system32\twhisj.exe r
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mp43dmod] C:\WINNT\system32\mp43dmod.exe
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350

\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive

Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet

Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet

Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet

Security\tmproxy.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\pglfsvc.exe
BlickDot is offline   Reply With Quote
Didn't find the information you thought to find?
Check out these Similar Threads
Old 7th August 2005   #2
WindowsBBS Team Member
 
markp62's Avatar
 
Profile:
Join Date: May 2002
Location: Coppell, TX
Posts: 3,854
Computer Experience:
Experimediate
markp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Level
After looking at this log, I am surprised your computer isn't coughing up bits and bytes. Order a pizza and get your favorite beverage ready.

Go to Start\Run, type in Services.Msc and press Enter. Locate these in the list.

System Startup Service (SvcProc)
Windows VisFx Components

Left click on each one, and Stop the service. Then right click on each one, select Properties and set to Disable.
Close the Services window.

Open HJT, and click on 'Open the misc tools section', then click on 'Delete a file on reboot. A File Open window will appear, copy/paste this in it.

C:\WINNT\pglfsvc.exe

Now click on Open, and you will be prompted to reboot. Select No at this time, and do the same for these.

c:\winnt\system32\twhisj.exe
C:\WINNT\mcm\mcm3.exe
C:\WINNT\system32\system.mcm
C:\winnt\system32\msevnt.exe
C:\WINNT\wpwkenc.EXE
C:\winnt\system32\dxvid.exe
C:\WINNT\system32\arjllr.exe
C:\WINNT\system32\aj876b58.exe
C:\WINNT\system32\dmontvwr.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\snbfdll.EXE
C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
C:\WINNT\system32\md5.dll
C:\winnt\system32\schdwrp.dll
C:\winnt\system32\au3xtra.dll
C:\PROGRA~1\COMMON~1\ooiu\ooiua.exe
C:\WINNT\Nail.exe
C:\WINNT\enhtb.dll
C:\WINNT\dsr.dll
C:\WINNT\satmat.exe
C:\WINNT\system32\mp43dmod.exe
c:\counter.cab

Rescan with HJT, and remove these with all browsers closed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [ws7P3qe] dmontvwr.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [umrcke] c:\winnt\system32\twhisj.exe r
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [mp43dmod] C:\WINNT\system32\mp43dmod.exe
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\pglfsvc.exe

Then reboot, and delete these folders.

C:\program files\tvs
C:\Program Files\Common Files\ooiu
C:\WINNT\isrvs
C:\WINNT\mcm
C:\Program Files\AutoUpdate
C:\Documents and Settings\All Users\Application Data\RDSA
c:\Program Files\Fla
c:\Program Files\Fln
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\Aprps
C:\Program Files\Incredifind
C:\Program Files\Bpt

Get CWShedder, update it and then run it.
http://www.majorgeeks.com/download4086.html

Please post a new HJT log.
markp62 is offline   Reply With Quote
Old 7th August 2005   #3
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
Question
OK !

Thanks for helping.
I forgot to mention this is a Win2000 Pro machine. But you new that (HJT log).


I did most of what you instructed the only variances where thing that were not available to remove.

I stopped and disabled the services:

System Startup Service (SvcProc)
Windows VisFx Components
---------------
I used misc. tools in HJT, deleted on next start up all in the list. There was some problem with c:/WINNT/Nail.exe though.

I can't recall exactly what though it was late the pizza was gone and the beverage consumed.

After rebooting there is an error that comes up at startup saying that Nails.exe can't be found though.
---------------
Using HJT to remove the specified files went a little more sketchier.

Not all the selections where there. I did remove anything that said sidesearch though, the Windows VisFix Components.
I don't think the C:/WINNT/pglfsvc.exe was available.
-----------------------
After rebooting I deleted all folders you stated with these exceptions:

C:\WINNTisrvs - Not present
C:\Program FilesAutoUpdate - No Access
C:\Documents and SettingsAll UsersApplication DataRDSA - No Access
C:\Program FilesEbates_MoeMoneyMaker - Not present
C:\Program FilesAprps - No Access
C:\Program FilesIncredifind - No Access
C:\Program FilesBpt - No Access
-----------------------------------------
Installed and updated cwshredder
Ran it. It found one file and removed it.
Then came up clean.

HJT Log file:
---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:23:33 AM, on 8/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\seqaxk.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Bpt\bpt.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\WINNT\wpwkenc.EXE
C:\WINNT\system32\arjllr.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\helxmlc.exe
C:\WINNT\system32\dsqdx.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Aprps\CxtPls.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ws7P3qe] helxmlc.exe
O4 - HKLM\..\Run: [plqikft] c:\winnt\system32\seqaxk.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mp43dmod] C:\WINNT\system32\mp43dmod.exe
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O4 - HKCU\..\Run: [hBoFRkK9S] dsqdx.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
BlickDot is offline   Reply With Quote
Old 9th August 2005   #4
WindowsBBS Team Member
 
markp62's Avatar
 
Profile:
Join Date: May 2002
Location: Coppell, TX
Posts: 3,854
Computer Experience:
Experimediate
markp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Level
At least I know Nail.Exe is gone, but the item calling it up is still there. You do have some toughies here.

Some of these things may be gone, but they appear in the log. Let's do something a bit different here.

Download the trial version of ewido security suite.
Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.
Ewido Setup

Open HJT, then click on 'Open the misc tools section', now click on 'Open Process Manager'.
Highlight each of these, and click on 'Kill Process'.

c:\winnt\system32\seqaxk.exe
C:\Program Files\Bpt\bpt.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\WINNT\wpwkenc.EXE
C:\WINNT\system32\arjllr.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\helxmlc.exe
C:\WINNT\system32\dsqdx.exe
C:\Program Files\Aprps\CxtPls.exe

Open HJT, and click on 'Open the misc tools section', then click on 'Delete a file on reboot. A File Open window will appear, copy/paste this in it.

c:\winnt\system32\seqaxk.exe

Now click on Open, and you will be prompted to reboot. Select No at this time, and do the same for these.

C:\Program Files\Bpt\bpt.exe
C:\WINNT\wpwkenc.EXE
C:\WINNT\system32\arjllr.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\helxmlc.exe
C:\WINNT\system32\dsqdx.exe
C:\WINNT\satmat.exe
C:\Program Files\Bpt\bpt.exe
C:\WINNT\isrvs\ffisearch.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
C:\WINNT\mcm\mcm3.exe
c:\winnt\system32\msevnt.exe
C:\WINNT\wpwkenc.EXE
c:\winnt\system32\dxvid.exe
C:\WINNT\system32\arjllr.exe reg_run
C:\WINNT\system32\aj876b58.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
c:\winnt\system32\seqaxk.exe
c:\winnt\system32\helxmlc.exe
c:\winnt\system32\system.mcm
c:\winnt\system.mcm
c:\winnt\helxmlc.exe
C:\WINNT\system32\rsyncmon.dll
C:\WINNT\isrvs\sysupd.dll
C:\program files\tvs\tvs_b.exe
c:\winnt\SvcProc.exe
C:\WINNT\system32\mp43dmod.exe
C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
c:\winnt\system32\dsqdx.exe
c:\winnt\dsqdx.exe

Then rescan with HJT, click on 'Do a system scan only' to do this.

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ws7P3qe] helxmlc.exe
O4 - HKLM\..\Run: [plqikft] c:\winnt\system32\seqaxk.exe r
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O4 - HKCU\..\Run: [hBoFRkK9S] dsqdx.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe

When done, start the computer in Safe Mode, instructions on how to do this with W2k at the following link. It may take more than one try to get it right.
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Delete these folders.
C:\Program Files\AutoUpdate
C:\Documents and Settings\All Users\Application Data\RDSA
C:\Program Files\Aprps
C:\Program Files\Incredifind
C:\Program Files\Bpt
C:\Program Files\Common Files\ooiu
C:\program files\tvs

Then do the Ewido scan, this works great in Safe Mode.
markp62 is offline   Reply With Quote
Old 11th August 2005   #5
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
OK I'm back!

Besides not having enough hours in the day the monitors takning a dive. I have an extra one but its not working well unless I start it in VGA mode. And it won't work in safe mode either.

But I installed ewido security suite.
It started finding thing rite away. I went through the HJT process as close as I could to your instuctions but again either some of the targets you gave were not available or I didn't have access (C:\Program Files\Aprps).

Scanning with ewido security suite found over 200 items I deleted them all.

Any way here is the latest HJT log file:
--------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:08:18 PM, on 8/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [hBoFRkK9S] dsqdx.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Last edited by BlickDot; 12th August 2005 at 01:35.
BlickDot is offline   Reply With Quote
Old 12th August 2005   #6
WindowsBBS Team Member
 
markp62's Avatar
 
Profile:
Join Date: May 2002
Location: Coppell, TX
Posts: 3,854
Computer Experience:
Experimediate
markp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Level
The good news is I see nothing bad running. But we seem to have a problem with HJT removing items, some things are gone, but others are still there.
There is a file I have attached, download it, it may Save As Attachment.Php, rename to Getkey.Zip and unzip the contents to the desktop. Then double click Getkey.Bat. Post the log it creates onto here.

I believe you cannot delete those folders as you need to take ownership of them.
http://support.microsoft.com/default...300691&sd=tech
Last edited by markp62; 5th May 2008 at 03:10.
markp62 is offline   Reply With Quote
Old 13th August 2005   #7
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
Sorry it took so long here it is:

--------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""
"hBoFRkK9S"="dsqdx.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\PCClient.exe\""
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Internet Security\\TMOAgent.exe\" /run"
"dla"="C:\\WINNT\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"satmat"="C:\\WINNT\\satmat.exe"
"ffis"="C:\\WINNT\\isrvs\\ffisearch.exe"
"Visual Element FX5"="C:\\Documents and Settings\\All Users\\Application Data\\RDSA\\xde00281.exe"
"Microsoft Windows Application"="system.mcm"
"msevnt"="c:\\winnt\\system32\\msevnt.exe /nocomm"
"dxvid"="c:\\winnt\\system32\\dxvid.exe /nocomm"
"aj876b58"="C:\\WINNT\\system32\\aj876b58.exe"
BlickDot is offline   Reply With Quote
Old 17th August 2005   #8
WindowsBBS Team Member
 
markp62's Avatar
 
Profile:
Join Date: May 2002
Location: Coppell, TX
Posts: 3,854
Computer Experience:
Experimediate
markp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Level
Open HJT, and click on 'Open the misc tools section', then click on 'Delete a file on reboot. A File Open window will appear, copy/paste this in it.

C:\WINNT\isrvs\ffisearch.exe

Now click on Open, and you will be prompted to reboot. Select No at this time, and do the same for these.

C:\WINNT\satmat.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe"
c:\winnt\system32\system.mcm
c:\winnt\system32\msevnt.exe
c:\winnt\system32\dxvid.exe
c:\winnt\system32\aj876b58.exe
c:\counter.cab
C:\WINNT\isrvs\mfiltis.dll

Rescan with HJT, and remove these items with all internet browsers, and Windows Explorer windows closed.

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

I have included an attachment here, when you download it, it will Save As Attachment.Php, rename it to Fixkey.Zip, and unzip the two files to the Desktop.
Reboot into Safe Mode, and doubleclick both these files, do the one named First to begin. On the second file you will be prompted to "if you want to merge this information into the registry?", yes you do.
I created those two files to maybe delete those folders, and clean up your startups.
Last edited by markp62; 5th May 2008 at 03:10.
markp62 is offline   Reply With Quote
Old 18th August 2005   #9
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
OK. Thanks for creating that script and registry hack. I hope it quelched this thing.

I was tempted to delete:
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

and:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

But I wasn't sure.


=============================

Logfile of HijackThis v1.99.1
Scan saved at 10:41:46 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
BlickDot is offline   Reply With Quote
Old 20th August 2005   #10
WindowsBBS Team Member
 
markp62's Avatar
 
Profile:
Join Date: May 2002
Location: Coppell, TX
Posts: 3,854
Computer Experience:
Experimediate
markp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Level
My two files cleaned you out as far as this HJT shows.
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

That is legitimate, it is for your HP CD burning software.

You can remove this.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
markp62 is offline   Reply With Quote
Old 23rd August 2005   #11
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
OK Thanks,

I have scanned with Spy-bot and Adaware multiple times.

Ad aware comes up clean.

Spy-bot is constantly getting hits though. It removed one or two, and I

manually deleted a couple from the registry with regedit.

But there are two that regedit was not able to delete. It said there was an

error. They are shown in the Spy-bot log below. Spy-bot always says that

it is removed but it is back every reboot. (That's the two reg entry's shown as

fixed in the log.)


I haven't opened an IE session since we started working through these

posts.

But tonight I got up my nerve. The first address I entered was to TrenMicro.

I did the full scan it showed three virus's and two other sets of the log is also

posted below.


Spy-bot, Trend Micro, and HJT logs below.
-------------------------------------------------------
Winfixer: Tracking cookie (Internet Explorer: Xxxxxx Xxxxx) (Cookie, fixed)


DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-854245398-152049171-842925246-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-08-19 Includes\Dialer.sbi
2005-08-19 Includes\Hijackers.sbi
2005-08-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-08-19 Includes\Malware.sbi
2005-08-12 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-08-19 Includes\Security.sbi
2005-08-16 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-08-19 Includes\Trojans.sbi
-------------------------------------------------------------------
Trend Micro Housecall Virus Scan0 virus cleaned, 3 viruses deleted


Results:
We have detected 3 infected file(s) with 3 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 3 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\Program
Files\adsoft\CF5.0-5.exeTROJ_DLOADER.WDDeletion
successful
C:\WINNT\system32\setup_incred_8.exeTROJ_KEENVAL.EDeletion
successful
C:\WINNT\system32\SSK_B5_MVSSK2.EXETROJ_SMALL.QNDeletion
successful




Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken




Spyware Check23 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 23 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 23 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_153CookieRemoval successful
COOKIE_174CookieRemoval successful
COOKIE_222CookieRemoval successful
COOKIE_763CookieRemoval successful
COOKIE_2817CookieRemoval successful
DIAL_SCOM.ADialerRemoval successful
DIAL_XESLETOH.ADialerRemoval successful
SPYW_COMSOFT.ASpywareRemoval successful
COOKIE_3184CookieRemoval successful
COOKIE_3185CookieRemoval successful
COOKIE_3186CookieRemoval successful
COOKIE_3201CookieRemoval successful
DIAL_JAPUPDialerRemoval successful
COOKIE_3206CookieRemoval successful
COOKIE_6853CookieRemoval successful
ADW_TREBATESAdwareRemoval successful
ADW_RIVERSOFT.AAdwareRemoval successful
ADW_SAHAGENT.AAdwareRemoval successful
ADW_SECTHOUGHT.FAdwareRemoval successful
SPYW_VTBOUNCER.CSpywareRemoval successful
ADW_SECTHOUGHT.BAdwareRemoval successful (Please
reboot your machine)
ADW_BEGIN2SRCH.CAdwareRemoval successful
ADW_APROPOS.OAdwareRemoval successful




Microsoft Vulnerability Check1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 1 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
ImportantA vulnerability in ASP.NET allows an
attacker to bypass the security of an ASP.NET Web
site, and access a machine. The attacker gains
unauthorized access to some areas of the said Web
site, and is able to control it accordingly. The
actions that the attacker could take would depend
on the specific content being protected. MS05-004
------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:32:14 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
BlickDot is offline   Reply With Quote
Old 23rd August 2005   #12
WindowsBBS Team Member
 
markp62's Avatar
 
Profile:
Join Date: May 2002
Location: Coppell, TX
Posts: 3,854
Computer Experience:
Experimediate
markp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Levelmarkp62 Reputation Level
I would say you are clean, now.
markp62 is offline   Reply With Quote
Old 23rd August 2005   #13
Senior Member
 
Profile:
Join Date: Feb 2005
Posts: 54
Computer Experience:
Intermediate
BlickDot Reputation Level
Thumbs up
Great thanks a ton,

You really know your stuff!
BlickDot is offline   Reply With Quote
Reply

« www.0dp.com, about: blank, and other problems | Spybot S&D (Win98) False Reports [HJT log] »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
trojan=spy.html.smitfraud.c papaya Malware and Virus Removal 15 4th June 2005 18:38
[Trying to remove] Windows Media Player blumash Windows XP 3 15th May 2005 13:59
Stupid trusted Zone Problem. STILL pxhping.exe eviltone Malware and Virus Removal 26 19th November 2004 20:09
Windows Media Player jbarker Other Software 2 3rd September 2003 21:55
Windows Media Player 9/Netscape 7.0 jrtech1 Firefox, Thunderbird & SeaMonkey 3 10th May 2003 03:14


All times are GMT +1. The time now is 02:09.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32