I have what appears to be the CWS virus.
1) my homepage keeps getting set to jimbutt.com/stuffs/
2) it keeps creating a 'WebSiteViewer' dir in Program Files
3) pops up an IE6 page in combination with some dialer prog
S+D keeps finding TIBS but cant seem to keep it gone.
4) this one might be unrelated but the file IBS.EXE wont delete from C:\WINNT even after I delete the registry entry (I followed a BloodhoundExploit6 fix)
I've had no luck with Norton's Corp Ed, Spybot S+D, nor Ad Aware so far, so I followed a suggestion to go here and use HiJack This with some direction.
Anyone want to fill me on what to do? Help!!
Full Version: CWS hijacker help plz
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
more info, I'm running windows 2000 and its creating misb.exe and ml00!.exe in C:/
I just ran the current CWS Shredder and it couldnt permenently remove the Smart Search.
When I try to fix the 'R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/' line using HiJackThis it just continues to come back...
I just ran the current CWS Shredder and it couldnt permenently remove the Smart Search.
When I try to fix the 'R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/' line using HiJackThis it just continues to come back...
Hi Nate, welcome to SAF 
If you go Here and read Angoid's Tutorial, and then download HijackThis, there is a link for it about half way down.
It might not be until tomorrow before someone can help you, but there will be someone along.
Thank you
Lorraine
If you go Here and read Angoid's Tutorial, and then download HijackThis, there is a link for it about half way down.
It might not be until tomorrow before someone can help you, but there will be someone along.
Thank you
Lorraine
log file
Logfile of HijackThis v1.99.1
Scan saved at 12:37:12 AM, on 5/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINNT\System32\popup_bl.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINNT\drexinit.dll
O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINNT\system32\iozetu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - S & D\SpybotSD.exe" /autocheck
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
Logfile of HijackThis v1.99.1
Scan saved at 12:37:12 AM, on 5/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINNT\System32\popup_bl.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINNT\drexinit.dll
O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINNT\system32\iozetu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - S & D\SpybotSD.exe" /autocheck
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
well I've managed to get rid of the symptoms, or at least most of them.
But I cant kill the sourse that keeps poping open IE to http://terra.es/personal6/dames5/nger.html.
which loads the viruses (virii?) into Temp Internet Files and recreates the issues.
Sure would be nice if IE wasnt bundled with windows![banghead[1].gif](http://www.suggestafix.com/html/emoticons/banghead[1].gif)
Sbybot is now finding an AllCyberSearch reg entry which it claims to fix but refinds each time.
But I cant kill the sourse that keeps poping open IE to http://terra.es/personal6/dames5/nger.html.
which loads the viruses (virii?) into Temp Internet Files and recreates the issues.
Sure would be nice if IE wasnt bundled with windows
Sbybot is now finding an AllCyberSearch reg entry which it claims to fix but refinds each time.
Hi Nate...run a HijackThis scan and put checks in the boxes next to these lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
All of these:
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINNT\System32\popup_bl.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINNT\drexinit.dll
O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINNT\system32\iozetu.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
Close all open windows except HJT and click on 'Fix checked'. Reboot for the changes to take effect and post a fresh log.
Have you run CWShredder and AdAware? You should if not.
This one worries me:
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
Do you use StealthDisk? That's what the file is associated with, but it should not be running as a service from the recycle bin.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
All of these:
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINNT\System32\popup_bl.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINNT\drexinit.dll
O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINNT\system32\iozetu.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
Close all open windows except HJT and click on 'Fix checked'. Reboot for the changes to take effect and post a fresh log.
Have you run CWShredder and AdAware? You should if not.
This one worries me:
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
Do you use StealthDisk? That's what the file is associated with, but it should not be running as a service from the recycle bin.
hopefully someone can zero in on this?
I'm down to this, but cant seem to kill the sourse of the IE page loader.
Logfile of HijackThis v1.99.1
Scan saved at 2:09:54 AM, on 5/2/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Program Files\Winamp\winamp.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HiJackThis\HijackThis.exe /startupscan
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
--------------------------------------------------------------------------------------------------------------------------------
This first scan item and the last came back after I checked the box and hit fix. I tried it a number of times on those two with no luck... would a reboot make a difference?
the Party Poker and MidHudsonMLS Cab items should be fine as I've had Party Poker installed for some time not and I use the MLS site for realty research.
The last item worries me too.
I'm down to this, but cant seem to kill the sourse of the IE page loader.
Logfile of HijackThis v1.99.1
Scan saved at 2:09:54 AM, on 5/2/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Program Files\Winamp\winamp.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HiJackThis\HijackThis.exe /startupscan
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
--------------------------------------------------------------------------------------------------------------------------------
This first scan item and the last came back after I checked the box and hit fix. I tried it a number of times on those two with no luck... would a reboot make a difference?
the Party Poker and MidHudsonMLS Cab items should be fine as I've had Party Poker installed for some time not and I use the MLS site for realty research.
The last item worries me too.
| QUOTE |
| mssvc.exe is a process associated with the StealthDisk application used for hiding and encrypting files and folders. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems. Note! This process may also be associated with the NEGASMS.A TROJAN! |
Thank you for the info HKEd.
I missed your post and just now went back and edited my last post with the current situation.
seems like its TIBS dialer if that means anything useful.
I missed your post and just now went back and edited my last post with the current situation.
seems like its TIBS dialer if that means anything useful.
Hi Nate,
Can you check the properties on C:\Program Files\Winamp\winamp.exe - it should hopefully be the Nullsoft Media Player (sorry about the popup you'll get at that site), which is OK (the well-known WinAmp's executable name is winampa.exe). This filename is also associated with the AGOBOT-MC worm.
You asked whether a reboot would have made any difference .... in this case, you should have been OK with following HKEd's instructions. Sometimes it's necessary to boot into Safe Mode, but he would have said so if that was necessary.
That R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/ has returned, suggesting we didn't get something.
It's worrying to see anything running out of the Recycle Bin, but I'm doing a bit of research on it.
Everything else in your log now looks OK
Can you check the properties on C:\Program Files\Winamp\winamp.exe - it should hopefully be the Nullsoft Media Player (sorry about the popup you'll get at that site), which is OK (the well-known WinAmp's executable name is winampa.exe). This filename is also associated with the AGOBOT-MC worm.
You asked whether a reboot would have made any difference .... in this case, you should have been OK with following HKEd's instructions. Sometimes it's necessary to boot into Safe Mode, but he would have said so if that was necessary.
That R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/ has returned, suggesting we didn't get something.
It's worrying to see anything running out of the Recycle Bin, but I'm doing a bit of research on it.
Everything else in your log now looks OK
Hi Nate,
An update ..... for the Jimbutt crud ....
Can you set your system to show all files.
Run both Spybot Search and Destroy and Ad-Aware to update them; but don't get either to perform a full scan just yet.
Reboot into Safe Mode.
Using Windows Explorer, see if you can find a file called C:\WINNT\System32\systr.dll. If so, do the following:
1. Rename it to systr_back.dll
2. Fix the jimbutts line in your HijackThis log again
3. Exit HijackThis.
Regardless of the above, it's worth doing the following:
Run your updated Spybot S&D in Safe Mode and have it clean any infections it found.
Run Ad-Aware (still in Safe mode) and have it, too, clean any infections found.
Reboot afterwards again into normal mode
After this see if the jimbutts is still there. If not, remove the renamed systr_back.dll file.
Let us know how it goes and post back another HijackThis log!
An update ..... for the Jimbutt crud ....
Can you set your system to show all files.
Run both Spybot Search and Destroy and Ad-Aware to update them; but don't get either to perform a full scan just yet.
Reboot into Safe Mode.
Using Windows Explorer, see if you can find a file called C:\WINNT\System32\systr.dll. If so, do the following:
1. Rename it to systr_back.dll
2. Fix the jimbutts line in your HijackThis log again
3. Exit HijackThis.
Regardless of the above, it's worth doing the following:
Run your updated Spybot S&D in Safe Mode and have it clean any infections it found.
Run Ad-Aware (still in Safe mode) and have it, too, clean any infections found.
Reboot afterwards again into normal mode
After this see if the jimbutts is still there. If not, remove the renamed systr_back.dll file.
Let us know how it goes and post back another HijackThis log!
I tried all of that in safe mode just now. I had previously been running S+D and AdAware as well as Nortons but I dont think that would change the results.
I was not allowed to do anything to systr.dll 'being used by windows'
I tried killing rundll.exe but I still couldnt alter that file.
HJT still cant do anything to jimbutts or the MSSvc.exe
and IE just popped open again, so its still all here despite all the rest...
Ad Aware finds a couple of reg key's for IEHijacker.Hotoffers but they just come back immediately.
Spybot cleans out TIBS and claims to be clean and clear
CWS Shredder claims to have removed it fully and came up clean on the rescan.
current HJT log which is basically the same as before give or take a few ok progs
Logfile of HijackThis v1.99.1
Scan saved at 1:30:21 PM, on 5/2/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\Program Files\HiJackThis\HijackThis.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - S & D\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HiJackThis\HijackThis.exe /startupscan
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
I was not allowed to do anything to systr.dll 'being used by windows'
I tried killing rundll.exe but I still couldnt alter that file.
HJT still cant do anything to jimbutts or the MSSvc.exe
and IE just popped open again, so its still all here despite all the rest...
Ad Aware finds a couple of reg key's for IEHijacker.Hotoffers but they just come back immediately.
Spybot cleans out TIBS and claims to be clean and clear
CWS Shredder claims to have removed it fully and came up clean on the rescan.
current HJT log which is basically the same as before give or take a few ok progs
Logfile of HijackThis v1.99.1
Scan saved at 1:30:21 PM, on 5/2/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\Program Files\HiJackThis\HijackThis.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - S & D\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HiJackThis\HijackThis.exe /startupscan
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
Norton continues to find the Bloodhound.Exploit6 in a file names ifect.anr which keeps coming up in my Temp Inet Files and Content.IE5 dirs. It cant clean it, but it does quarentine it.
any known fixes for this virus?
any known fixes for this virus?
Hi Nate...Bloodhound is what Norton calls malware it can't identify. If it's located in those folders, it's something you pick up as you surf. Set IE to empty the temp internet files folder when it closes (Internet Options > Advanced tab). Install CleanUp! to keep those files and other temp files to a minimum. It doesn't help that you do not have all your Widows updates installed. That should be a priority now.
Download Killbox and unzip it to the desktop. Run it and paste this line into the 'Full Path of File to Delete' box:
C:\WINNT\System32\systr.dll
Click on 'Delete on Reboot' and then the red button with the white X. Reboot when prompted. Does it reappear?
Download Killbox and unzip it to the desktop. Run it and paste this line into the 'Full Path of File to Delete' box:
C:\WINNT\System32\systr.dll
Click on 'Delete on Reboot' and then the red button with the white X. Reboot when prompted. Does it reappear?
Thank You, thats done it.
the item running in the recycler still doesnt seem to want to come clean but it doesnt seem to be doing anything malicious either
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
So I've managed to add Killbox, HiJackThis, Process Explorer, and CWShredder too what I was already using (Norton, AdAware, Sbybot) Would there be any recommendable additions to avoid stuff like this in the future?
the item running in the recycler still doesnt seem to want to come clean but it doesnt seem to be doing anything malicious either
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
So I've managed to add Killbox, HiJackThis, Process Explorer, and CWShredder too what I was already using (Norton, AdAware, Sbybot) Would there be any recommendable additions to avoid stuff like this in the future?
Is MSSvc.EXE on the system, Nate? You can get rid of the 023 in HijackThis. Click on Config > Misc Tools and 'Delete an NT Service'. Copy/paste this into the box:
C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
It will delete the registry key.
Also, go to Start > Run > type services.msc and OK it. Scroll down through the services and locate Microsoft DHCP Routing Client (services). Make sure it is stopped and its startup is set to 'Disabled'.
Reboot and post a fresh HJT log so we can check all is well. This Jimbutt thing can be tricky to remove.
C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
It will delete the registry key.
Also, go to Start > Run > type services.msc and OK it. Scroll down through the services and locate Microsoft DHCP Routing Client (services). Make sure it is stopped and its startup is set to 'Disabled'.
Reboot and post a fresh HJT log so we can check all is well. This Jimbutt thing can be tricky to remove.
| QUOTE |
| Would there be any recommendable additions to avoid stuff like this in the future? |
As mentioned earlier, the best protection is Windows updates. A 'raw' system is a magnet for malware. Third-party programs to install are SpywareGuard and SpywareBlaster - both free and from Javacool Software.
| QUOTE (HKEd @ May 2 2005, 11:26 PM) |
| Is MSSvc.EXE on the system, Nate? You can get rid of the 023 in HijackThis. Click on Config > Misc Tools and 'Delete an NT Service'. Copy/paste this into the box: C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE It will delete the registry key. Also, go to Start > Run > type services.msc and OK it. Scroll down through the services and locate Microsoft DHCP Routing Client (services). Make sure it is stopped and its startup is set to 'Disabled'. Reboot and post a fresh HJT log so we can check all is well. This Jimbutt thing can be tricky to remove. |
HJT couldnt find that registry to delete as you instructed. It still shows in the scan though.
also, services.msc will not run. "Access to the specified device... is denied"
Spybot keeps finding a reg entry called CoolWWWSearch.Leftovers and my IE browser loaded to about:blank and set it as the homepage instead of google. So, there is still something there.
The C:\Documents and Settings\User\Local Settings\Temp folder has an se.dll that I dont recodnize...
current log with all the about:blank entries and the se.dll which wont stay killbox'd
Logfile of HijackThis v1.99.1
Scan saved at 2:10:02 PM, on 5/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINNT\system32\services.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KATIEB~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KATIEB~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3CD81B35-9468-4136-B955-AA46F713F1FD} - C:\WINNT\system32\gkegdh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - S & D\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HiJackThis\HijackThis.exe /startupscan
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O18 - Filter: text/html - {07D23355-940A-4E60-9D93-C29F125DAA70} - C:\WINNT\system32\gkegdh.dll
O18 - Filter: text/plain - {07D23355-940A-4E60-9D93-C29F125DAA70} - C:\WINNT\system32\gkegdh.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
Logfile of HijackThis v1.99.1
Scan saved at 2:10:02 PM, on 5/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINNT\system32\services.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KATIEB~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KATIEB~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://mailcity.lycos.com/"); (C:\Program Files\Netscape\Users\nweiss\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3CD81B35-9468-4136-B955-AA46F713F1FD} - C:\WINNT\system32\gkegdh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - S & D\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HiJackThis\HijackThis.exe /startupscan
O4 - Global Startup: GetRight Monitor.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O12 - Plugin for .aiff: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O18 - Filter: text/html - {07D23355-940A-4E60-9D93-C29F125DAA70} - C:\WINNT\system32\gkegdh.dll
O18 - Filter: text/plain - {07D23355-940A-4E60-9D93-C29F125DAA70} - C:\WINNT\system32\gkegdh.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE
I think I've got the thing eradicated. CWShredder and the rest all came up clean. I'll reboot and post a new HJT just for reference.
I had to kill C:\WINNT\system32\gkegdh.dll and the ...\Temp\se.dll a few times but it finally seems they're out to stay.
Thanks again for getting some of this cured and getting me on the right track.
I had to kill C:\WINNT\system32\gkegdh.dll and the ...\Temp\se.dll a few times but it finally seems they're out to stay.
Thanks again for getting some of this cured and getting me on the right track.
Ok, let us know how it goes, Nate. That SE.DLL can be a bugger to fix. There's usually a hidden loader.
yea, it came back with a different C:\WINNT\system32\random.dll
same method killed it, appears ok for now.
I browsed to the folder within the Recycler and found a bunch of suspicious files and have deleted them all. Am I right to assume nothing important would be stored or run from there?
same method killed it, appears ok for now.
I browsed to the folder within the Recycler and found a bunch of suspicious files and have deleted them all. Am I right to assume nothing important would be stored or run from there?
And on that last idea, I cannot delete C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443
my actual recycle bin seems to be C:\RECYCLER\S-1-5-21-1801674531-299502267-682003330-1000
Would I be able to use killbox on the mal dir inside the recycler? And would this be safe/advisable?
my actual recycle bin seems to be C:\RECYCLER\S-1-5-21-1801674531-299502267-682003330-1000
Would I be able to use killbox on the mal dir inside the recycler? And would this be safe/advisable?
Should be able to delete Recycler itself, Nate. Windows will recreate it. But that may be a little drastic for what may be just a registry item. I asked this before...can't see an answer: "Is MSSvc.EXE on the system?"
That hidden DLL will keep reloading the random DLL each time you reboot. Download DllCompare.exe to the desktop. Start the program and click on Locate.com and wait until the scan is complete. Then click on 'Compare' to begin the sorting process.
Files in the bottom section have some form of problem being accessed. There will be only a few files listed there once that Compare scan is complete. Use 'Make a Log of What was Found' to generate a log to post here.
If you want to use Killbox on the random DLL yourself, feel free, but be warned that not all files that DLLCompare finds are malicious. Some files may be needed. Post the log if you have any doubt. I know what the file looks like.
That hidden DLL will keep reloading the random DLL each time you reboot. Download DllCompare.exe to the desktop. Start the program and click on Locate.com and wait until the scan is complete. Then click on 'Compare' to begin the sorting process.
Files in the bottom section have some form of problem being accessed. There will be only a few files listed there once that Compare scan is complete. Use 'Make a Log of What was Found' to generate a log to post here.
If you want to use Killbox on the random DLL yourself, feel free, but be warned that not all files that DLLCompare finds are malicious. Some files may be needed. Post the log if you have any doubt. I know what the file looks like.
The reason I thought I was clean was that CWShredder didnt find HiddenDLL the last few times I ran it... guess thats rather faulty too.
MSSvc.EXE is not in the system, not on the C drive, and HJT comes up with file missing. It does find a few instances of "ntmssvc.dll"
Any reason why it still finds it as an O23 if it isnt there?
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE (file missing)
while HJT finds C:\WINNT\system32\pfbgl.dll as the current name for the mal dll,
DLLCompare this found something else...
--------------------------------------------------------------------------------------------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNT\SYSTEM32\kbd.dll Tue Jun 22 2004 11:01:16p ..... 57,344 56.00 K
________________________________________________
1,416 items found: 1,416 files, 0 directories.
Total of file sizes: 272,867,803 bytes 260.23 M
Administrator Account = True
--------------------End log---------------------
err, I couldnt find kbd.dll in \system32\
I think part of the problem is that the mal dll is actually being used by windows, no?
MSSvc.EXE is not in the system, not on the C drive, and HJT comes up with file missing. It does find a few instances of "ntmssvc.dll"
Any reason why it still finds it as an O23 if it isnt there?
O23 - Service: Microsoft DHCP Routing Client (services) - Unknown owner - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE (file missing)
while HJT finds C:\WINNT\system32\pfbgl.dll as the current name for the mal dll,
DLLCompare this found something else...
--------------------------------------------------------------------------------------------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNT\SYSTEM32\kbd.dll Tue Jun 22 2004 11:01:16p ..... 57,344 56.00 K
________________________________________________
1,416 items found: 1,416 files, 0 directories.
Total of file sizes: 272,867,803 bytes 260.23 M
Administrator Account = True
--------------------End log---------------------
err, I couldnt find kbd.dll in \system32\
I think part of the problem is that the mal dll is actually being used by windows, no?
Yeah, Nate...sometimes these buggers hook into Explorer.exe so they're active even in safe mode.
That looks like CWS, but I want to make sure. Copy the bold text to Notepad and save it with a BAT extension:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt
Run it and post the Windows.txt file it generates.
Some of the registry services keys can be tricky. HJT doesn't always fix them. We may have to do it manually.
That looks like CWS, but I want to make sure. Copy the bold text to Notepad and save it with a BAT extension:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt
Run it and post the Windows.txt file it generates.
| QUOTE |
| Any reason why it still finds it as an O23 if it isnt there? |
Some of the registry services keys can be tricky. HJT doesn't always fix them. We may have to do it manually.
I'm not sure I understand
Do I save .the txt file as a .bat file
and do I save it to that location or save it with that text in it?
Do I save .the txt file as a .bat file
and do I save it to that location or save it with that text in it?
Under File, use 'Save as', then 'All files' (the drop-down box) and call it Look.bat or whatever you like, as long as it has a BAT extension. It won't work as a TXT file.
Copy/paste the bold text to Notepad, use 'Save as' > All Files ('Save as type' box), save it to the desktop and double-click on it.
It's just exporting a registry key that will confirm if Kbd.dll is the culprit. Most of it will look like gibberish, but post it anyway.
It's just exporting a registry key that will confirm if Kbd.dll is the culprit. Most of it will look like gibberish, but post it anyway.
ok, not how do I get a log?
the dos type window it opens closes almost immediately
the dos type window it opens closes almost immediately
Is there a windows.txt file on the desktop after running it? Or a windows.hiv file? If the latter, open it with Notepad. I just need to see the contents. It's not a log.
I have to go out for a couple of hours. I'll check back later.
I have to go out for a couple of hours. I'll check back later.
no, neither.
Is there supposed to be a space or a return after the first .hiv in the bold text?
it runs cmd.exe but it closes to quick to read what its doing
Is there supposed to be a space or a return after the first .hiv in the bold text?
it runs cmd.exe but it closes to quick to read what its doing
It's exactly as posted. Works for me - I just double-checked it. 
We'll try another way. Download and install Registrar Lite. Run it and copy this line into the address bar:
Click on 'Go'. The registry will open at the AppInit_DLLs key. Is Kbd.dll listed there?
We'll try another way. Download and install Registrar Lite. Run it and copy this line into the address bar:
| CODE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs |
Click on 'Go'. The registry will open at the AppInit_DLLs key. Is Kbd.dll listed there?
Kbd.dll only shows up when I double click on AppInit_DLLs in the list that comes up after I click 'Go'
C:\WINNT\System32\kbd.dll is shown in the Data Editor as the value for keyname 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' of value name AppInit_DLLs It is a REG_SZ type and the size is 26.
C:\WINNT\System32\kbd.dll is shown in the Data Editor as the value for keyname 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' of value name AppInit_DLLs It is a REG_SZ type and the size is 26.
Hi Nate...can you double-click on it and clear C:\Windows\System32\Kbd.dll? Close RegLite then run it again and go to the same key. Does it still show?
It may not let you clear it, so try this:
Download Hiving_154 from here. Unzip it to the desktop. Log off the Internet and stay off until all of these steps have been completed.
Double click on Hiving.bat to run it. Reboot when it has finished. (If you have script blocking enabled you will get a warning. Allow this to run - the script is not malicious.). Allow the entire script to run once. When it is done, the script will produce a message box letting you know.
Next, run HijackThis. You should now be able to see this line:
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbd.dll
Fix it and reboot to safe mode.
Locate kbd.dll. When you find it, rightclick on it and select Properties. Click on the Security tab and click on Advanced and then click on the Owner tab. Select your name in the list and take ownership of the file. Click OK etc. See if you can delete it.
Post another HijackThis log when finished.
Download Hiving_154 from here. Unzip it to the desktop. Log off the Internet and stay off until all of these steps have been completed.
Double click on Hiving.bat to run it. Reboot when it has finished. (If you have script blocking enabled you will get a warning. Allow this to run - the script is not malicious.). Allow the entire script to run once. When it is done, the script will produce a message box letting you know.
Next, run HijackThis. You should now be able to see this line:
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbd.dll
Fix it and reboot to safe mode.
Locate kbd.dll. When you find it, rightclick on it and select Properties. Click on the Security tab and click on Advanced and then click on the Owner tab. Select your name in the list and take ownership of the file. Click OK etc. See if you can delete it.
Post another HijackThis log when finished.
yes, the kbd.dll location returned for that value after I cleared it.
HJT currently finds only one O20 (O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll) which is a part of Norton.
How does one log off the internet?
I'll unplug my comp from the router and do all this...
HJT currently finds only one O20 (O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll) which is a part of Norton.
How does one log off the internet?
I'll unplug my comp from the router and do all this...
hmm, when I run hiving.bat the cmd.exe returns
Working
'Reg' is not recognized as an internal or external command
operable program or batch file
and a pop up that's titled 'VBScript: No Appinit_Dlls value Present Removal Aborted. OK?'
and no desktop item is created.
I did recently use killbox on the \system32\ dll so it is running clean at the moment. When it returns I will follow this process again and see if the results are different.
Working
'Reg' is not recognized as an internal or external command
operable program or batch file
and a pop up that's titled 'VBScript: No Appinit_Dlls value Present Removal Aborted. OK?'
and no desktop item is created.
I did recently use killbox on the \system32\ dll so it is running clean at the moment. When it returns I will follow this process again and see if the results are different.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.