Addware using Windows Media Player?

BlickDot · 2005/08/06

This machine has problems.

When I start it WMP comes on in full screen and plays video adds.

and anything to do with a web page youn can forget it.

The popups lock it up.

I managed to get HJT on and got the log though. I have HJT on a CD.

I have been running Adaware & Spybot, they always find things and they

always come back.

Please help.
HJT log file:
--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:50:24 PM, on 8/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\pglfsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\twhisj.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Bpt\bpt.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\WINNT\mcm\mcm3.exe
C:\WINNT\system32\system.mcm
C:\winnt\system32\msevnt.exe
C:\WINNT\wpwkenc.EXE
C:\winnt\system32\dxvid.exe
C:\WINNT\system32\arjllr.exe
C:\WINNT\system32\aj876b58.exe
C:\WINNT\system32\dmontvwr.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\snbfdll.EXE
C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\PROGRA~1\COMMON~1\ooiu\ooiua.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\program files\internet explorer\iexplore.exe
C:\HoJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application

Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe "
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [ws7P3qe] dmontvwr.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [umrcke] c:\winnt\system32\twhisj.exe r
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mp43dmod] C:\WINNT\system32\mp43dmod.exe
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350

\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive

Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet

Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet

Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet

Security\tmproxy.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\pglfsvc.exe

markp62 · 2005/08/06

After looking at this log, I am surprised your computer isn't coughing up bits and bytes. Order a pizza and get your favorite beverage ready.

Go to Start\Run, type in Services.Msc and press Enter. Locate these in the list.

System Startup Service (SvcProc)
Windows VisFx Components

Left click on each one, and Stop the service. Then right click on each one, select Properties and set to Disable.
Close the Services window.

Open HJT, and click on 'Open the misc tools section', then click on 'Delete a file on reboot. A File Open window will appear, copy/paste this in it.

C:\WINNT\pglfsvc.exe

Now click on Open, and you will be prompted to reboot. Select No at this time, and do the same for these.

c:\winnt\system32\twhisj.exe
C:\WINNT\mcm\mcm3.exe
C:\WINNT\system32\system.mcm
C:\winnt\system32\msevnt.exe
C:\WINNT\wpwkenc.EXE
C:\winnt\system32\dxvid.exe
C:\WINNT\system32\arjllr.exe
C:\WINNT\system32\aj876b58.exe
C:\WINNT\system32\dmontvwr.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\snbfdll.EXE
C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
C:\WINNT\system32\md5.dll
C:\winnt\system32\schdwrp.dll
C:\winnt\system32\au3xtra.dll
C:\PROGRA~1\COMMON~1\ooiu\ooiua.exe
C:\WINNT\Nail.exe
C:\WINNT\enhtb.dll
C:\WINNT\dsr.dll
C:\WINNT\satmat.exe
C:\WINNT\system32\mp43dmod.exe
c:\counter.cab

Rescan with HJT, and remove these with all browsers closed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe "
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [ws7P3qe] dmontvwr.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [umrcke] c:\winnt\system32\twhisj.exe r
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKCU\..\Run: [mp43dmod] C:\WINNT\system32\mp43dmod.exe
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\pglfsvc.exe

Then reboot, and delete these folders.

C:\program files\tvs
C:\Program Files\Common Files\ooiu
C:\WINNT\isrvs
C:\WINNT\mcm
C:\Program Files\AutoUpdate
C:\Documents and Settings\All Users\Application Data\RDSA
c:\Program Files\Fla
c:\Program Files\Fln
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\Aprps
C:\Program Files\Incredifind
C:\Program Files\Bpt

Get CWShedder, update it and then run it.
http://www.majorgeeks.com/download4086.html

Please post a new HJT log.

BlickDot · 2005/08/07

OK !

Thanks for helping.
I forgot to mention this is a Win2000 Pro machine. But you new that (HJT log).

I did most of what you instructed the only variances where thing that were not available to remove.

I stopped and disabled the services:

System Startup Service (SvcProc)
Windows VisFx Components
---------------
I used misc. tools in HJT, deleted on next start up all in the list. There was some problem with c:/WINNT/Nail.exe though.

I can't recall exactly what though it was late the pizza was gone and the beverage consumed.

After rebooting there is an error that comes up at startup saying that Nails.exe can't be found though.
---------------
Using HJT to remove the specified files went a little more sketchier.

Not all the selections where there. I did remove anything that said sidesearch though, the Windows VisFix Components.
I don't think the C:/WINNT/pglfsvc.exe was available.
-----------------------
After rebooting I deleted all folders you stated with these exceptions:

C:\WINNTisrvs - Not present
C:\Program FilesAutoUpdate - No Access
C:\Documents and SettingsAll UsersApplication DataRDSA - No Access
C:\Program FilesEbates_MoeMoneyMaker - Not present
C:\Program FilesAprps - No Access
C:\Program FilesIncredifind - No Access
C:\Program FilesBpt - No Access
-----------------------------------------
Installed and updated cwshredder
Ran it. It found one file and removed it.
Then came up clean.

HJT Log file:
---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:23:33 AM, on 8/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\seqaxk.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Bpt\bpt.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\WINNT\wpwkenc.EXE
C:\WINNT\system32\arjllr.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\helxmlc.exe
C:\WINNT\system32\dsqdx.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Aprps\CxtPls.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe "
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [ws7P3qe] helxmlc.exe
O4 - HKLM\..\Run: [plqikft] c:\winnt\system32\seqaxk.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mp43dmod] C:\WINNT\system32\mp43dmod.exe
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O4 - HKCU\..\Run: [hBoFRkK9S] dsqdx.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

markp62 · 2005/08/08

At least I know Nail.Exe is gone, but the item calling it up is still there. You do have some toughies here.

Some of these things may be gone, but they appear in the log. Let's do something a bit different here.

Download the trial version of ewido security suite.
Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.
Ewido Setup

Open HJT, then click on 'Open the misc tools section', now click on 'Open Process Manager'.
Highlight each of these, and click on 'Kill Process'.

c:\winnt\system32\seqaxk.exe
C:\Program Files\Bpt\bpt.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\WINNT\wpwkenc.EXE
C:\WINNT\system32\arjllr.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\helxmlc.exe
C:\WINNT\system32\dsqdx.exe
C:\Program Files\Aprps\CxtPls.exe

Open HJT, and click on 'Open the misc tools section', then click on 'Delete a file on reboot. A File Open window will appear, copy/paste this in it.

c:\winnt\system32\seqaxk.exe

Now click on Open, and you will be prompted to reboot. Select No at this time, and do the same for these.

C:\Program Files\Bpt\bpt.exe
C:\WINNT\wpwkenc.EXE
C:\WINNT\system32\arjllr.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\helxmlc.exe
C:\WINNT\system32\dsqdx.exe
C:\WINNT\satmat.exe
C:\Program Files\Bpt\bpt.exe
C:\WINNT\isrvs\ffisearch.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
C:\WINNT\mcm\mcm3.exe
c:\winnt\system32\msevnt.exe
C:\WINNT\wpwkenc.EXE
c:\winnt\system32\dxvid.exe
C:\WINNT\system32\arjllr.exe reg_run
C:\WINNT\system32\aj876b58.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\snbfdll.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
c:\winnt\system32\seqaxk.exe
c:\winnt\system32\helxmlc.exe
c:\winnt\system32\system.mcm
c:\winnt\system.mcm
c:\winnt\helxmlc.exe
C:\WINNT\system32\rsyncmon.dll
C:\WINNT\isrvs\sysupd.dll
C:\program files\tvs\tvs_b.exe
c:\winnt\SvcProc.exe
C:\WINNT\system32\mp43dmod.exe
C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
c:\winnt\system32\dsqdx.exe
c:\winnt\dsqdx.exe

Then rescan with HJT, click on 'Do a system scan only' to do this.

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe "
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [MCM3] C:\WINNT\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [wpwkenc] C:\WINNT\wpwkenc.EXE
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arjllr.exe reg_run
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [snbfdll] C:\WINNT\snbfdll.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [ws7P3qe] helxmlc.exe
O4 - HKLM\..\Run: [plqikft] c:\winnt\system32\seqaxk.exe r
O4 - HKCU\..\Run: [ooiu] C:\PROGRA~1\COMMON~1\ooiu\ooium.exe
O4 - HKCU\..\Run: [hBoFRkK9S] dsqdx.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe

When done, start the computer in Safe Mode, instructions on how to do this with W2k at the following link. It may take more than one try to get it right.
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Delete these folders.
C:\Program Files\AutoUpdate
C:\Documents and Settings\All Users\Application Data\RDSA
C:\Program Files\Aprps
C:\Program Files\Incredifind
C:\Program Files\Bpt
C:\Program Files\Common Files\ooiu
C:\program files\tvs

Then do the Ewido scan, this works great in Safe Mode.

BlickDot · 2005/08/10

OK I'm back!

Besides not having enough hours in the day the monitors takning a dive. I have an extra one but its not working well unless I start it in VGA mode. And it won't work in safe mode either.

But I installed ewido security suite.
It started finding thing rite away. I went through the HJT process as close as I could to your instuctions but again either some of the targets you gave were not available or I didn't have access (C:\Program Files\Aprps).

Scanning with ewido security suite found over 200 items I deleted them all.

Any way here is the latest HJT log file:
--------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:08:18 PM, on 8/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [hBoFRkK9S] dsqdx.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

markp62 · 2005/08/11

The good news is I see nothing bad running. But we seem to have a problem with HJT removing items, some things are gone, but others are still there.
There is a file I have attached, download it, it may Save As Attachment.Php, rename to Getkey.Zip and unzip the contents to the desktop. Then double click Getkey.Bat. Post the log it creates onto here.

I believe you cannot delete those folders as you need to take ownership of them.
http://support.microsoft.com/default.aspx?scid=kb;en-us;300691&sd=tech

BlickDot · 2005/08/13

Sorry it took so long here it is:

--------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "
"Sonic RecordNow! "=" "
"hBoFRkK9S "= "dsqdx.exe "

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe /logon "
"PCClient.exe "= "\ "C:\\Program Files\\Trend Micro\\Internet Security\\PCClient.exe\" "
"TM Outbreak Agent "= "\ "C:\\Program Files\\Trend Micro\\Internet Security\\TMOAgent.exe\" /run "
"dla "= "C:\\WINNT\\system32\\dla\\tfswctrl.exe "
"UpdateManager "= "\ "C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r "
"satmat "= "C:\\WINNT\\satmat.exe "
"ffis "= "C:\\WINNT\\isrvs\\ffisearch.exe "
"Visual Element FX5 "= "C:\\Documents and Settings\\All Users\\Application Data\\RDSA\\xde00281.exe "
"Microsoft Windows Application "= "system.mcm "
"msevnt "= "c:\\winnt\\system32\\msevnt.exe /nocomm "
"dxvid "= "c:\\winnt\\system32\\dxvid.exe /nocomm "
"aj876b58 "= "C:\\WINNT\\system32\\aj876b58.exe "

markp62 · 2005/08/16

Open HJT, and click on 'Open the misc tools section', then click on 'Delete a file on reboot. A File Open window will appear, copy/paste this in it.

C:\WINNT\isrvs\ffisearch.exe

Now click on Open, and you will be prompted to reboot. Select No at this time, and do the same for these.

C:\WINNT\satmat.exe
C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe "
c:\winnt\system32\system.mcm
c:\winnt\system32\msevnt.exe
c:\winnt\system32\dxvid.exe
c:\winnt\system32\aj876b58.exe
c:\counter.cab
C:\WINNT\isrvs\mfiltis.dll

Rescan with HJT, and remove these items with all internet browsers, and Windows Explorer windows closed.

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\RDSA\xde00281.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [msevnt] c:\winnt\system32\msevnt.exe /nocomm
O4 - HKLM\..\Run: [dxvid] c:\winnt\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [aj876b58] C:\WINNT\system32\aj876b58.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

I have included an attachment here, when you download it, it will Save As Attachment.Php, rename it to Fixkey.Zip, and unzip the two files to the Desktop.
Reboot into Safe Mode, and doubleclick both these files, do the one named First to begin. On the second file you will be prompted to "if you want to merge this information into the registry? ", yes you do.
I created those two files to maybe delete those folders, and clean up your startups.

BlickDot · 2005/08/17

OK. Thanks for creating that script and registry hack. I hope it quelched this thing.

I was tempted to delete:
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

and:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

But I wasn't sure.

=============================

Logfile of HijackThis v1.99.1
Scan saved at 10:41:46 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

markp62 · 2005/08/19

My two files cleaned you out as far as this HJT shows.
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

That is legitimate, it is for your HP CD burning software.

You can remove this.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)

BlickDot · 2005/08/22

OK Thanks,

I have scanned with Spy-bot and Adaware multiple times.

Ad aware comes up clean.

Spy-bot is constantly getting hits though. It removed one or two, and I

manually deleted a couple from the registry with regedit.

But there are two that regedit was not able to delete. It said there was an

error. They are shown in the Spy-bot log below. Spy-bot always says that

it is removed but it is back every reboot. (That's the two reg entry's shown as

fixed in the log.)

I haven't opened an IE session since we started working through these

posts.

But tonight I got up my nerve. The first address I entered was to TrenMicro.

I did the full scan it showed three virus's and two other sets of the log is also

posted below.

Spy-bot, Trend Micro, and HJT logs below.
-------------------------------------------------------
Winfixer: Tracking cookie (Internet Explorer: Xxxxxx Xxxxx) (Cookie, fixed)

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-854245398-152049171-842925246-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-08-19 Includes\Dialer.sbi
2005-08-19 Includes\Hijackers.sbi
2005-08-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-08-19 Includes\Malware.sbi
2005-08-12 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-08-19 Includes\Security.sbi
2005-08-16 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-08-19 Includes\Trojans.sbi
-------------------------------------------------------------------
Trend Micro Housecall Virus Scan0 virus cleaned, 3 viruses deleted

Results:
We have detected 3 infected file(s) with 3 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 3 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\Program
Files\adsoft\CF5.0-5.exeTROJ_DLOADER.WDDeletion
successful
C:\WINNT\system32\setup_incred_8.exeTROJ_KEENVAL.EDeletion
successful
C:\WINNT\system32\SSK_B5_MVSSK2.EXETROJ_SMALL.QNDeletion
successful

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken

Spyware Check23 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 23 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 23 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_153CookieRemoval successful
COOKIE_174CookieRemoval successful
COOKIE_222CookieRemoval successful
COOKIE_763CookieRemoval successful
COOKIE_2817CookieRemoval successful
DIAL_SCOM.ADialerRemoval successful
DIAL_XESLETOH.ADialerRemoval successful
SPYW_COMSOFT.ASpywareRemoval successful
COOKIE_3184CookieRemoval successful
COOKIE_3185CookieRemoval successful
COOKIE_3186CookieRemoval successful
COOKIE_3201CookieRemoval successful
DIAL_JAPUPDialerRemoval successful
COOKIE_3206CookieRemoval successful
COOKIE_6853CookieRemoval successful
ADW_TREBATESAdwareRemoval successful
ADW_RIVERSOFT.AAdwareRemoval successful
ADW_SAHAGENT.AAdwareRemoval successful
ADW_SECTHOUGHT.FAdwareRemoval successful
SPYW_VTBOUNCER.CSpywareRemoval successful
ADW_SECTHOUGHT.BAdwareRemoval successful (Please
reboot your machine)
ADW_BEGIN2SRCH.CAdwareRemoval successful
ADW_APROPOS.OAdwareRemoval successful

Microsoft Vulnerability Check1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 1 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
ImportantA vulnerability in ASP.NET allows an
attacker to bypass the security of an ASP.NET Web
site, and access a machine. The attacker gains
unauthorized access to some areas of the said Web
site, and is able to control it accordingly. The
actions that the attacker could take would depend
on the specific content being protected. MS05-004
------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:32:14 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\HoJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA1DCAB9-0012-4D8E-811C-1D172456B086}: NameServer = 192.168.0.1
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

markp62 · 2005/08/22

I would say you are clean, now.

BlickDot · 2005/08/23

Great thanks a ton,

You really know your stuff!

Log in or Sign up

Addware using Windows Media Player?

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

Share This Page

Log in or Sign up

Addware using Windows Media Player?

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

markp62 Geek Member Alumni

BlickDot Inactive Thread Starter

Share This Page

Useful Searches