Persistant pop-ups and spyware - HJT log below

Next step after this last resort is a reformat & reload.
TIA, -Cauli
Logfile of HijackThis v1.99.0
Scan saved at 10:43:00 PM, on 2/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\msupd5.exe
C:\WINNT\system32\tuqmbtrp6.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\fjhwelon.exe
C:\WINNT\system32\vlstziye.exe
C:\WINNT\system32\bkvrxiij.exe
C:\WINNT\system32\nmyyiyfj.exe
C:\WINNT\system32\yfjwlazh.exe
C:\WINNT\system32\sfgiofev.exe
C:\WINNT\system32\hhdkxtsy.exe
C:\WINNT\system32\hnnyvfmm.exe
C:\WINNT\system32\wwufvuuz.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\winnt\system32\msnavc32.exe
C:\WINNT\system32\sysmonnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huytik.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Tom Josephson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {1F42DC42-E6DD-E30D-21AB-9B43A56C21AF} - C:\WINNT\system32\gbofwdae.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: (no name) - {2B1C5A04-4F08-74F6-C390-B198A6196F8E} - C:\WINNT\system32\lgepwqza.dll
O2 - BHO: (no name) - {2DCC892D-E5EA-C845-2955-E3800779F1B0} - C:\WINNT\system32\vojweoko.dll
O2 - BHO: (no name) - {2E7673DF-FB9C-D981-EB51-17EF04D6B1EE} - C:\WINNT\system32\wwwqegsg.dll
O2 - BHO: (no name) - {2EFC0A62-E83A-7FEF-6663-6ABA476D9507} - C:\WINNT\system32\uyfglkqk.dll
O2 - BHO: (no name) - {476BFA47-E46D-B5E1-88B3-37B9F966C283} - C:\WINNT\system32\sjbeowxc.dll
O2 - BHO: (no name) - {4848C224-8FCD-CC3B-1C56-B1E87D901E40} - C:\WINNT\system32\nplfoxnj.dll
O2 - BHO: (no name) - {49ABF6F6-6D1B-3352-2616-43CC28E93DEC} - C:\WINNT\system32\oetpugde.dll
O2 - BHO: (no name) - {4C065EC2-1514-1FE4-97FA-F7872AE2CBB4} - C:\WINNT\system32\wfhbuyaz.dll
O2 - BHO: (no name) - {554B0726-8559-4A35-EDE9-08433D370275} - C:\WINNT\system32\upwrurhy.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {72C505DC-0F32-3067-3435-FB0C27C470AD} - C:\WINNT\system32\xrvsryek.dll
O2 - BHO: (no name) - {C267A7AD-A52E-CF61-0FCC-4401F50A609F} - C:\WINNT\system32\xgcfjfds.dll
O2 - BHO: (no name) - {DC57E1F9-5C06-E137-F454-B37818756509} - C:\WINNT\system32\whbudgdt.dll
O2 - BHO: (no name) - {EB40EB1C-A201-21A1-8E0D-CB7FF5F34AB5} - C:\WINNT\system32\nvbwrtxk.dll
O2 - BHO: (no name) - {F75864C2-4D81-5F33-2048-B5DB0446774A} - C:\WINNT\system32\orbakbib.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ribbvv] C:\Program Files\Dnjbym\Dqoif.exe
O4 - HKLM\..\Run: [fjhwelon] C:\WINNT\system32\fjhwelon.exe
O4 - HKLM\..\Run: [vlstziye] C:\WINNT\system32\vlstziye.exe
O4 - HKLM\..\Run: [bkvrxiij] C:\WINNT\system32\bkvrxiij.exe
O4 - HKLM\..\Run: [nmyyiyfj] C:\WINNT\system32\nmyyiyfj.exe
O4 - HKLM\..\Run: [yfjwlazh] C:\WINNT\system32\yfjwlazh.exe
O4 - HKLM\..\Run: [sfgiofev] C:\WINNT\system32\sfgiofev.exe
O4 - HKLM\..\Run: [hhdkxtsy] C:\WINNT\system32\hhdkxtsy.exe
O4 - HKLM\..\Run: [hnnyvfmm] C:\WINNT\system32\hnnyvfmm.exe
O4 - HKLM\..\Run: [wwufvuuz] C:\WINNT\system32\wwufvuuz.exe
O4 - HKLM\..\Run: [gpplsedk] C:\WINNT\system32\gpplsedk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliterfk32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [qv44czq4] C:\Program Files\qv44czq4\qv44czq4.exe
O4 - HKLM\..\Run: [zgyuzc] C:\WINNT\system32\zgyuzc.exe
O4 - HKLM\..\Run: [jmuoyo] c:\winnt\system32\jmuoyo.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [msrcsc] C:\WINNT\system32\msrcsc.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINNT\SysCheckBop32
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/604485.exe
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
O23 - Service: afsfyddokfcd - Unknown - C:\WINNT\system32\tuqmbtrp6.exe

 

Welcome to WindowsBBS Cauli

Your computer is seriously infected, one of which is a new infection that infects explorer.exe. If you'd like to try cleaning it up, you can start with the instructions below.

Better save it to text or print it out.


Go here to download the free KAV Personal 5.0 Trial (good for 30 days)
http://www.kaspersky.com/index.html

Click on *downloads* on the left menu

Then scroll down and click on *trial versions*

Then choose *Kaspersky Anti-Virus Personal 5.0*

You will then have a list of the trial downloads to choose from (choose a location closest to you)

Choose *save* and it should create and save to a KAV folder on your hard drive

Navigate to the KAV folder and doubleclick on kav5.0trial_personalen.exe to install it.

You will see this screen showing the default folder it will install into. Click on *next*

If KAV detects another AV running on your PC it will advise you to uninstall it.
You can do that or you can disable the existing AV program and then press *yes* to continue.
The way to disable resident protection differs for different anti-virus programs. You might try right clicking on the icon for your AV program in the Windows System tray (on the lower right hand part of the screen) and looking at the different options.
Alternatively, you may disable your AV from starting with Windows using msconfig (Start > Run and type msconfig and OK. Click on the Startup Tab, uncheck all the startups relating to your AntiVirus and reboot).
The important thing is to set your current AV *not* to scan as your files are accessed, so that KAV can do its job

Next you will see the Kaspersky Anti-Virus Personal 5.0 Setup Wizard. It will advise you to close all other applications before starting setup. Do that and then press *Next* to continue.

You will then be presented with the License Agreement. Read that and when done you can agree to continue.

Next is the Customer Information screen. Just fill that in as you prefer and click on *next* to continue

You will be presented with some important KAV notes. I copied these and saved in Wordpad to refer back to if needed.

Please remove the green checkmark the box that says *Operate according to Recommended settings* This is so we can do a custom install.

Press *next* to continue after you have read those and unchecked the box for recommended settings

On the next screen, please uncheck the box for *use real-time protection against network attacks*
This has been known to cause problems on PCs running certain firewalls, you can try enabling it later after the initial install and scan.

You may leave the *iStreams technology* box checked if you like (I did) but it is generally recommended not to checkmark that box if you are going to uninstall KAV again after the infection has been removed.

Now it will choose the Destination folder (mine was fine as pre-selected by KAV). Click *next* to continue

Now you will get the *finish* screen

KAV will now open. If you are running a firewall, allow KAV to connect to get the updates it needs. Wait while the updates are downloaded and installed

Now get the *extended database* of updates as well, to remove the AdWare that Virus.Win32.Bube. may have downloaded. Look under *Settings*, and then *Configure Updater* Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install.

Now click on *Settings* and choose *Configure On-demand scan settings* and select *Perform recommended action* and click *OK*. You might prefer to set the scan level to maximum, just to be sure that nothing is hiding in an email database.

Close KAV and any open programs you have running.


It is recommended you run the scan in SAFE MODE

* Boot into safe mode.
How to start the computer in Safe mode (here are instructions if you need them)
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Once you have booted into safe mode, physically disconnect from the Internet.

* Open KAV but do not start the scan yet

* now and this is very important :

* Press Ctrl + ALT+DEL and bring up task manager, go to processes tab and right click on explorer.exe and then select stop process

Now your desktop will go blank and you will have no taskbar or menu etc you will still have taskmanager and KAV open on desktop so do not close them


* Now Start a full system scan. Click on the protection tab and Choose *Scan My Computer
* It will take some time probably 2 or 3 hours and will delete any infected files it finds
* KAV will disinfect all files detected as Virus.Win32.Bube and many related malware it has downloaded.
* when it has finished then on the Taskmanger press file/newtask and type explorer to regain the desktop etc.
* Close KAV &Taskmanager
* Reboot back into normal mode.

Additional cleanup may be needed. Post a new HijackThis log when done. Please be sure to post in the forum if you have any questions.

IMPORTANT NOTE! This virus changes security settings your trusted zone and in the Windows Security Center. Please be sure to check all of your security settings After disinfecting.

 

Thanks...great progress

I wrestled with it for most of yesterday clearing a pesky boot-up shut down loop by running the unupdated virus scan in safe mode. Did ultimately perform the update and re-scanned with success. Pop-ups and highjacks are gone . Is there anything else to be done? (Here is the current HJT log-thanks again):

Logfile of HijackThis v1.99.0
Scan saved at 4:03:05 PM, on 2/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Tom Josephson\Desktop\HijackThis.exe

O2 - BHO: (no name) - {1F42DC42-E6DD-E30D-21AB-9B43A56C21AF} - (no file)
O2 - BHO: (no name) - {2B1C5A04-4F08-74F6-C390-B198A6196F8E} - (no file)
O2 - BHO: (no name) - {2DCC892D-E5EA-C845-2955-E3800779F1B0} - (no file)
O2 - BHO: (no name) - {2E7673DF-FB9C-D981-EB51-17EF04D6B1EE} - (no file)
O2 - BHO: (no name) - {2EFC0A62-E83A-7FEF-6663-6ABA476D9507} - (no file)
O2 - BHO: (no name) - {476BFA47-E46D-B5E1-88B3-37B9F966C283} - (no file)
O2 - BHO: (no name) - {4848C224-8FCD-CC3B-1C56-B1E87D901E40} - (no file)
O2 - BHO: (no name) - {49ABF6F6-6D1B-3352-2616-43CC28E93DEC} - (no file)
O2 - BHO: (no name) - {4C065EC2-1514-1FE4-97FA-F7872AE2CBB4} - (no file)
O2 - BHO: (no name) - {554B0726-8559-4A35-EDE9-08433D370275} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {72C505DC-0F32-3067-3435-FB0C27C470AD} - (no file)
O2 - BHO: (no name) - {C267A7AD-A52E-CF61-0FCC-4401F50A609F} - (no file)
O2 - BHO: (no name) - {DC57E1F9-5C06-E137-F454-B37818756509} - (no file)
O2 - BHO: (no name) - {EB40EB1C-A201-21A1-8E0D-CB7FF5F34AB5} - (no file)
O2 - BHO: (no name) - {F75864C2-4D81-5F33-2048-B5DB0446774A} - C:\WINNT\system32\orbakbib.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wiyrgv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

 

Hi Cauli

Dave will continue to help you, I would like to slip in and get a report with this batch file if you would please download the attachment, extract the file inside to the desktop run the batch and post the results.

 

Wow! Good work!!

Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder.

Open Spybot, advanced mode, tools, resident and turn off TeaTimer. Verify with Task Manager that it has stopped running.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

All O2 - BHO: entries
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wiyrgv.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt

Reboot and post a new HJT log, along with the log Lonny requested.

Double check ALL of your Internet Explorer Security Settings.

You can re-enable TeaTimer now. If you haven't done so already, also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update. Check for updates from time to time. Still in Spybot, click tools in the left pane, then resident and check the box for SD Helper. Then click IE tweaks and at least lock the HOSTS file. Then download and install IESpyads.

That will give you an added layer of protection against unwanted parasites.

 

Batch failed, HJT below

Lonny's batch program failed to dump a reult into notepad. The error received in the DOS window was "...'reg' is not recognized as an internal or external command, operable program or batch file. "

Thanks for you help, guys.
Here is the current HJT file:
Logfile of HijackThis v1.99.0
Scan saved at 9:36:58 PM, on 2/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tom Josephson\Desktop\HJT\HijackThis.exe

O2 - BHO: (no name) - {1F42DC42-E6DD-E30D-21AB-9B43A56C21AF} - (no file)
O2 - BHO: (no name) - {2B1C5A04-4F08-74F6-C390-B198A6196F8E} - (no file)
O2 - BHO: (no name) - {2DCC892D-E5EA-C845-2955-E3800779F1B0} - (no file)
O2 - BHO: (no name) - {2E7673DF-FB9C-D981-EB51-17EF04D6B1EE} - (no file)
O2 - BHO: (no name) - {2EFC0A62-E83A-7FEF-6663-6ABA476D9507} - (no file)
O2 - BHO: (no name) - {476BFA47-E46D-B5E1-88B3-37B9F966C283} - (no file)
O2 - BHO: (no name) - {4848C224-8FCD-CC3B-1C56-B1E87D901E40} - (no file)
O2 - BHO: (no name) - {49ABF6F6-6D1B-3352-2616-43CC28E93DEC} - (no file)
O2 - BHO: (no name) - {4C065EC2-1514-1FE4-97FA-F7872AE2CBB4} - (no file)
O2 - BHO: (no name) - {554B0726-8559-4A35-EDE9-08433D370275} - (no file)
O2 - BHO: (no name) - {72C505DC-0F32-3067-3435-FB0C27C470AD} - (no file)
O2 - BHO: (no name) - {C267A7AD-A52E-CF61-0FCC-4401F50A609F} - (no file)
O2 - BHO: (no name) - {DC57E1F9-5C06-E137-F454-B37818756509} - (no file)
O2 - BHO: (no name) - {EB40EB1C-A201-21A1-8E0D-CB7FF5F34AB5} - (no file)
O2 - BHO: (no name) - {F75864C2-4D81-5F33-2048-B5DB0446774A} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

 

Download the attached BHO.zip file (rename it if it downloads as attachment.php), extract the file and double click to merge into the registry. It should delete the BHO key, then recreate it, leaving behind all of those 02 entries. Run another HJT scan to see if they're gone.

Was Spybot's SDHelper checkbox greyed out and unclickable?

(I'll let Lonny address the bat file)

 

SD Helper? File attachment?

Sorry Dave, don't understand your question about 'greyed out box next to SD Helper' Are you refering to spybot search & destroy'?

I've downloaded, updated and activated SpyWareBlaster. Thanks for the advice on that one. Looks good.

Also didn't see the attachment you referred to.

Thanks again

 

Hmmm, trying again on the attachment (there's been some problems lately.......or maybe I forgot )

Yes, I was referring to Spybot's SDHelper, available in the same window as TeaTimer. It should be checked, and would show up in your HJT log as a BHO. Wait until after you've run the attachment to enable it.

 

Forget the batch file i suggested, (Duc) I overlooked its a win2k system

 

Downloaded, extracted and ran the BHO.zip file (it did not need renaming). SDHelper cannot be selected in the current configuration (TeaTimer is running). You guys are awesome. Thanks for sharing your knowledge.

Current HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 4:40:49 PM, on 2/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Tom Josephson\Desktop\HJT\HijackThis.exe
C:\WINNT\notepad.exe
C:\WINNT\system32\taskmgr.exe

O2 - BHO: (no name) - {1F42DC42-E6DD-E30D-21AB-9B43A56C21AF} - (no file)
O2 - BHO: (no name) - {2B1C5A04-4F08-74F6-C390-B198A6196F8E} - (no file)
O2 - BHO: (no name) - {2DCC892D-E5EA-C845-2955-E3800779F1B0} - (no file)
O2 - BHO: (no name) - {2E7673DF-FB9C-D981-EB51-17EF04D6B1EE} - (no file)
O2 - BHO: (no name) - {2EFC0A62-E83A-7FEF-6663-6ABA476D9507} - (no file)
O2 - BHO: (no name) - {476BFA47-E46D-B5E1-88B3-37B9F966C283} - (no file)
O2 - BHO: (no name) - {4848C224-8FCD-CC3B-1C56-B1E87D901E40} - (no file)
O2 - BHO: (no name) - {49ABF6F6-6D1B-3352-2616-43CC28E93DEC} - (no file)
O2 - BHO: (no name) - {4C065EC2-1514-1FE4-97FA-F7872AE2CBB4} - (no file)
O2 - BHO: (no name) - {554B0726-8559-4A35-EDE9-08433D370275} - (no file)
O2 - BHO: (no name) - {72C505DC-0F32-3067-3435-FB0C27C470AD} - (no file)
O2 - BHO: (no name) - {C267A7AD-A52E-CF61-0FCC-4401F50A609F} - (no file)
O2 - BHO: (no name) - {DC57E1F9-5C06-E137-F454-B37818756509} - (no file)
O2 - BHO: (no name) - {EB40EB1C-A201-21A1-8E0D-CB7FF5F34AB5} - (no file)
O2 - BHO: (no name) - {F75864C2-4D81-5F33-2048-B5DB0446774A} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

 

First, turn off TeaTimer again. Go here and download SDHelper.dll. Extract the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy).

Reboot to safe mode, logon to the Admin account and run the BHO.reg again. Boot back to safe mode and run another HJT scan. Let us know if those 02 BHO entries are still present.

Are you familiar/comfortable with regedit?

 

All tasks completed as instructed and 02 BHO entries persist (according to HJT).
SDHelper now works and is active.
I've used RegEdit in the past, but never with the confidence I'll have with your advice and instruction.

Thanks again,
Cauli

 

TeaTimer will need to be off.

Open regedit and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

You'll need to locate each of these subkeys and change the permissions. Be careful to select the right ones. Now that you have enabled SDHelper, there may be one for it too.

{1F42DC42-E6DD-E30D-21AB-9B43A56C21AF}
{2B1C5A04-4F08-74F6-C390-B198A6196F8E}
{2DCC892D-E5EA-C845-2955-E3800779F1B0}
{2E7673DF-FB9C-D981-EB51-17EF04D6B1EE}
{2EFC0A62-E83A-7FEF-6663-6ABA476D9507}
{476BFA47-E46D-B5E1-88B3-37B9F966C283}
{4848C224-8FCD-CC3B-1C56-B1E87D901E40}
{49ABF6F6-6D1B-3352-2616-43CC28E93DEC}
{4C065EC2-1514-1FE4-97FA-F7872AE2CBB4}
{554B0726-8559-4A35-EDE9-08433D370275}
{72C505DC-0F32-3067-3435-FB0C27C470AD}
{C267A7AD-A52E-CF61-0FCC-4401F50A609F}
{DC57E1F9-5C06-E137-F454-B37818756509}
{EB40EB1C-A201-21A1-8E0D-CB7FF5F34AB5}
{F75864C2-4D81-5F33-2048-B5DB0446774A}

Right click the key and select permissions. Highlight Everyone in the top pane, then check the full control box in the access column below. If YourComputerName\YourUserName is in the top pane, do the same for it. If it's not, click Add. Type your username in the Enter object names to select window, then click Check Names. YourComputerName\YourUserName should appear in the window. Click OK. Select your username on the Security tab and check full control in the access column below. Click OK to close permissions box. Now right click the key and delete.

When done, close regedit and reboot. Run another HJT scan and let us know the results.

 

Right click does not offer permissions option

I navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects within regedit and all the keys you noted are there. When I right click on them the only options given me are:
Expand (greyed out)
New (with subsequent options)
Find
Delete
Rename
Copy key name

Delete brings up 'error deleting key' dialog.
This system was set up with single user and autologin initially. I have Admin rights as the 1st user. Sailing in unfamiliar waters now.

 

New one on me too. Try using Reglite. Select properties if available and you will get a permissions key.

 

Dave-
It's been awhile but I tried the Reg lite and these are the results of HJT file. The system has been running fine in the interim. Thanks again.

Logfile of HijackThis v1.99.0
Scan saved at 10:49:11 PM, on 3/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Josephson\Desktop\HJT\HijackThis.exe

O2 - BHO: (no name) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...=43&langCode=&subcatId=1003&tm=901&expId=5813
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

 

Hi Cauli,

Good to see those BHO's gone. Odd there's a new one with no file, and I see sysmonnt came back, though not showing as a running process. Fix these with HJT and reboot, then post a new log.

O2 - BHO: (no name) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt

Is the sysmonnt file back in the system32 folder?

Although I see KAV as a service in your log, I don't see any related running process. Are you still using the trial version of KAV? If so, I recommend you get something permanent, disconnect from the internet, uninstall the KAV and install the new. Also recommend using a third party firewall.