[done]Trojan Horse BackDoor.Agent.BA.

[Smallfry]

Ok working on a friends computer and he's had this one for awhile.

AVG pops up about 10 times on startup with the following virus.
Trogan Horse BackDoor.Agent.BA
in
C:\windows\system32\comfc.dll

AVG cannot heal it or remove it to virus vault as the file is in use. Restarting in safe mode and running AVG still wont fix it.
I've run both Ad Aware and SD Spybot (amazing how much junk they find between them) but the virus is still popping up.

Anyway heres the HijackThis log.

Hope you can help.

Logfile of HijackThis v1.97.7
Scan saved at 11:08:27, on 07/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {858044B9-1583-42E1-A34C-4B13EA6E09F5} - C:\WINDOWS\System32\dfoaf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC95EC47-8E7D-4398-A513-2B44FFEF40B4}: NameServer = 195.92.195.95 195.92.195.94

[Taz71498]

Hello Smallfry,

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Run Hijackthis again with all browsers closed and check these items and then on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {858044B9-1583-42E1-A34C-4B13EA6E09F5} - C:\WINDOWS\System32\dfoaf.dll (file missing)

O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

Don't reboot yet.

Open the program you downloaded (APM)
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\dfoaf.dll
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware (the first program you downloaded)

Reboot. Now, do the following

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Quote:

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Copy and paste that log here along with a new HJT log.

[Smallfry]

Quote:

Originally Posted by Taz71498

Open the program you downloaded (APM)
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\dfoaf.dll
Select Unload DLL and click OK on the prompts that follow.

Ok I tried this however C:\windows\system32\dfoaf.dll was not listed under explorer.exe

Here are the log files from Hijack this

Logfile of HijackThis v1.97.7
Scan saved at 10:10:22, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab

I've attached the windows.txt file you had me make as it just shows jibberish to me

[Taz71498]

Hello,

Yes the file does look like jibberish, but could I ask you to do something.
Could you copy and paste that window.txt file here instead of attaching the file this time. One of my computers does not show the file properly and I am finding it easier to just do the copy and paste.

[Smallfry]

regf




Pugf hbin  ¨ÿÿÿnk, ÏY·.Ä
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 < 0 x  Windows ÿÿÿsk x x
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Ðÿÿÿvk  ˜


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  h
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk  

°ºSpooler2ðÿÿÿy e s
Ñ_åàÿÿÿvk  €

5swapdisk h
°
ð
 X Ðÿÿÿvk  à


. TransmissionRetryTimeoutÐÿÿÿvk  €' 
p USERProcessHandleQuota4 àÿÿÿh
°
ð
 X ˆ Ø Øÿÿÿvk < 

AppInit_DLLs ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ c o m f c . d l l À

[Taz71498]

Hello,

Well, we have ourselves a hidden dll that we will have to get rid of.

There is some info I need from you first. Do you have XP home or XP professional?

Is your system file NTFS or Fat32? (To check this, all you need to do is go to Start>My computer>Highlight your C drive and Right click on it and choose properties. You will see File System near the top and it will tell you if it is NTFS or Fat32.)

When you give me the info. we will proceed on getting rid of that dll or your problem will just come back.

[Smallfry]

Unfortunatly I cant work on the computer for a week now. The friend who owns the PC has gone to spain for a week and taken his PC home. Sorry to jerk you about but I'll get back to you once I can get my grubby mitts on his PC again.

I know he has XP home and I think he has NTFS but I cant confirm that yet.

[Taz71498]

No problem,

We will be here

[Smallfry]

Ok.

He has NTFS and Xp Home edition.

[Taz71498]

Hello,

I'm back. I went on vacation and just got back last night. Sorry for the delay.

Here is the next step:

Copy the contents of this quote box into note pad and save it as hiving.bat

Quote:

@echo off
Echo Working

Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
If ERRORLEVEL==1 GoTo End
GoTo DOIT
:End

echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
Wscript.exe not.vbs
del not.vbs
Exit

OIT
If exist backup.hiv del backup.hiv
If exist f.hiv del f.hiv

reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
ne

PING 1.1.1.1 -n 2 -w 1000 >NUL
if not exist backup.hiv goto one

Reg Delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f


Reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
:Notthere

PING 1.1.1.1 -n 2 -w 1000 >NUL
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
IF ERRORLEVEL ==1 Go to Notthere

reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv

:two

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
IF ERRORLEVEL==1 GOTO two

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
:appy

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
If Not ERRORLEVEL==1 GOTO appy

Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
:three

PING 1.1.1.1 -n 4 -w 1000 >NUL
if not exist f.hiv GOTO three

Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f

Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
:four

PING 1.1.1.1 -n 1 -w 1000 >NUL
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
If ERRORLEVEL==1 GOTO four

:five



PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
If ErrorLevel==1 GOTO five

If exist f.hiv ren f.hiv fbackup.hiv

Echo > finished.vbs MsgBox "Done"
Wscript.exe finished.vbs
del finished.vbs

Now, open and run hiving.bat.

If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

----------------------
You run Home and so you will restart into Safe mode.

Restart into Safe mode and find this file:
C:\WINDOWS\System32\comfc.dll

Use the security tab on comfc.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
log.dll>bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file restart into Regular Windows mode.

Extract and Run CWShredder immediately.
Press the fix button to clean.

Restart and run hijackThis again.

Post your new log here in your next reply.

Also please create a new Windows.txt and attach it so we can doublecheck.

[Smallfry]

hey. hope you had a nice holiday.

Threw me a little bit to start with till I realised the forum had changed the program with smileys. Once I fixed them it all ran ok.

Heres the Hijakthis log.

Logfile of HijackThis v1.97.7
Scan saved at 11:10:58, on 29/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeola.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freeola.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://freeola.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab

And here is the Windows.txt

regf




Pugf hbin  \ W I N D O W S \ s *ÿÿÿnk, °ºŽ²RuÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 < 0 x  Windowsowsÿÿÿÿÿÿÿÿÿsk € €
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 åZ Ðÿÿÿvk  *


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  p
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk  

°ºSpooler2ðÿÿÿy e s
Ñ_åàÿÿÿvk  €

5swapdisk p
¸
ø
( ` Ðÿÿÿvk  è


. TransmissionRetryTimeoutÐÿÿÿvk  €' 
p USERProcessHandleQuota4 àÿÿÿp
¸
ø
( ` � êd
êe êe êe êe êe êe êe êe êf êf êf êf êf ëf ëf ëf ëf ëg ëg ëg ëg ëg ëg ëg ëg ëg ëh ëh ëh ëh ëh ëh ëh ëh ìh ìi ìi ìi ìi ìi ìi ìi ìi ìj ìj ìj ìj ìj ìj ìj ìj ìj ìk ìk ík ík ík ík ík ík ík íl íl íl íl íl íl íl íl íl ím ím ím ím ím îm îm îm îm în în în în în în în în în îo îo îo îo îo îo îo îo ïo ïp ïp ïp ïp ïp ïp ïp ïp ïp ïq ïq ïq ïq ïq ïq ïq ïq ïq ïr ïr ðr ðr ðr ðr ðr ðr ðr ðs ðs ðs ðs ðs ðs ðs ðs ðs ðt ðt ðt ðt ðt ñt ñt ñt ñt ñu ñu ñu ñu ñu ñu ñu ñu ñu ñv ñv ñv ñv ñv ñv ñv òv òv òw òw! òw! òw! òw! òw! òw! òw! òw! òx! òx! òx" òx" òx" òx" òx" òx" òx" òy" óy" óy# óy# óy# óy# óy# óy# óy# óz# óz# óz# óz$ óz$ óz$ óz$ óz$ óz$ ó{$ ó{$ ó{$ ó{$ ô{% ô{% ô{% ô{% ô{% ô|% ô|% ô|% ô|% ô|& ô|& ô|& ô|& ô|& ô}& ô}& ô}& ô}& ô}& ô}' ô}' õ}' õ}' õ~' õ~' õ~' õ~' õ~' õ~( õ~( õ~( õ~( õ( õ( õ( õ( õ( õ( õ) õ) õ€) ö€) ö€) ö€) ö€) ö€) ö€) ö€* ö€* ö�* ö�* ö�* ö�* ö�* ö�* ö�* ö�* ö�+ ö‚+ ö‚+ ö‚+ ö‚+ ÷‚+ ÷‚+ ÷‚+ ÷‚+ ÷‚, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷„- ÷„- ÷„- ÷„- ÷„- ÷„- ÷„- ø„- ø„- ø…. ø…. ø…. ø…. ø…. ø…. ø…. ø…. ø…. ø†. ø†/ ø†/ ø†/ ø†/ ø†/ ø†/ ø†/ ø†/ ø‡/ ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ùˆ0 ùˆ0 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ù‰1 ù‰1 ù‰1 ù‰2 ú‰2 ú‰2 ú‰2 ú‰2 ú‰2 úŠ2 þ 0‚8X?‚8X?‚úŠ3 úŠ3 úŠ3 úŠ3 ú‹3 ú‹3 ú‹3 ú‹3 ú‹4 ú‹4 û‹4 û‹4 û‹4 ûŒ4 ûŒ4 ûŒ4 ûŒ4 ûŒ5 ûŒ5 ûŒ5 ûŒ5 ûŒ5 û�5 û�5 û�5 û�5 û�5 û�6 û�6 û�6 û�6 üŽ6 üŽ6 üŽ6 üŽ6 üŽ6 üŽ7 üŽ7 üŽ7 üŽ7 ü�7 ü�7 ü�7 ü�7 ü�7 ü�7 ü�8 ü�8 ü�8 ü�8 ü�8 ü�8 ý�8 ý�8 ý�8 ý�9 ý�9 ý�9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘: ý‘: ý’: ý’: ý’: ý’: ý’: ý’: þ’: þ’; þ’; þ“; þ“; þ“; þ“; þ“; þ“; þ“; þ“; þ“< þ”< þ”< þ”< þ”< þ”< þ”< þ”< þ”< ãT ãT ãT ãT ãT ãT ãT ãT ãT ãU ãU
ãU
ãU
ãU
ãU
ãU
ãU
ãU
ãV
ãV
ãV äV äV äV äV äV äV äW äW äW äW äW äW äW äW äW äX äX äX äX äX äX åX åX åX åY åY åY åY åY åY åY åY åY åZ åZ åZ åZ åZ åZ åZ åZ åZ æ[ æ[ æ[ æ[ æ[ æ[ æ[ æ[ æ[ æ\ æ\ æ\ æ\ æ\ æ\ æ\ æ\ æ\ æ] æ] æ] ç] ç] ç] ç] ç] ç] ç^ ç^ ç^ ç^ ç^ ç^ ç^
ç^
ç^
ç_
ç_
ç_
ç_
ç_
è_
è_ è_ è_ è` è` è` è` è` è` è` è` è` èa èa èa èa m‘Gh05Ð1á
Ñ PSá   üû1á¼ÿ1áÀÿÿÿ»  xE*á N(TO'}O&
{O&
{O&
{O&
{O&
{O&
{O&
{O&
{O&
{O&
{O&
{P&
|I%
}D% KO3êU5 ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿX8$ÿt>ÿL'
¥aKAí ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿR)ÿS+
§_I=í ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿQ(ÿS+
¦_I=í ÿHHHÿÿÿÿÿÿÿÿÿHHHÿ ÿ ÿ ÿ ÿHHHÿÿÿÿÿ ÿ ÿQ(ÿS+
¦_I=í ÿÿÿÿÿHHHÿHHHÿÿÿÿÿ ÿÿÿÿÿ ÿ ÿÿÿÿÿHHHÿ ÿ ÿQ(ÿS+
¦[E:í ÿÿÿÿÿ ÿ ÿ ÿ ÿ ÿ ÿHHHÿÿÿÿÿ ÿ ÿ ÿQ(ÿS+
¦[E:í ÿÿÿÿÿHHHÿHHHÿÿÿÿÿ ÿÿÿÿÿ ÿÿÿÿÿHHHÿ ÿ ÿ ÿQ(ÿS+
¦_I=í ÿHHHÿÿÿÿÿÿÿÿÿHHHÿ ÿ ÿ ÿÿÿÿÿ ÿ ÿ ÿ ÿQ(ÿS+
¦^J@í ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿQ)ÿS,
¦*uDípZ1ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv_9ÿv_8ÿv_9ÿl^Aÿ„P*ÿL%¨ÙvíðŒÿíŠÿíŠÿíŠÿíŠÿíŠÿíŠÿíŠÿí‰ÿú³[ÿû*Oÿø³_ÿ£Ž–ÿ¡\9ÿH
‘ŠE
§·i.î»k1ëºj0êºj0êºj0êºj0êºj0êºj0êºj0ê½o6ê½n5ê¾p7ë°k;ì…I±G& *g:•J
šK ™K™K™K™K™K™K™K˜J˜JšK™K
@!
 ö�*

at least AVG isnt throwing a fit everytime a program starts now.

[Taz71498]

Oh for crying out load, I can't believe I did that. I meant to wrap that quote in Code tags, not Quote tags. Sorry, glad you figured it out.

Run HJT again and check these and then on Fix:

O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab

Reboot and post a new log here for final review.

[Smallfry]

ugh, getting the PC off him to finnish this was like pulling teeth. Anyway, heres the log.

Logfile of HijackThis v1.97.7
Scan saved at 09:32:33, on 05/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeola.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freeola.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://freeola.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Taz71498]

Hello,

The log looks good. How are things working now?

[Smallfry]

Heya,

Everything seems to be running ok now. Its even stopped trying to dial out on boot up.

Thanks for all your help

[Taz71498]

Glad we were able to help.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
http://www.wilderssecurity.com/showthread.php?t=27971

Happy Surfing!