Ice Princess' thread

[ice_princess]

Dear moderators and all knowledgable persons:

I am also concerned that my system might have spywares installed in it. As instructed by the moderator, I have copied and pasted my system's log here for you to take a look at. Please analyze the log and tell me if there is anything I need to get rid of.

Thank you so much for your help.

Ice Princess



Logfile of HijackThis v1.97.2
Scan saved at 7:15:28 AM, on 9/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\KMDEVMONSRV.exe
C:\WINDOWS\SYSTEM32\KMdevmonx.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\xplorer.exe
C:\windows\wind32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
C:\Paltalk\pnetaware.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\America Online 8.0a\aol.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\Documents and Settings\Loan\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_40.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &My Way Speedbar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [xplorer] C:\WINDOWS\xplorer.exe
O4 - HKLM\..\Run: [expdll] c:\windows\wind32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://guest.xemtuvi.com/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DA0673-9F1A-4179-8B48-9645C51777C7}: NameServer = 198.81.17.134

[Pieter_Arntz]

Hi ice_princess,

I split off your thread from the other because this could take a while.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_40.dll

O3 - Toolbar: &My Way Speedbar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [xplorer] C:\WINDOWS\xplorer.exe
O4 - HKLM\..\Run: [expdll] c:\windows\wind32.exe

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://guest.xemtuvi.com/tdserver.cab

Then download Spybot - Search & Destroy
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

Or, download Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that pane and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Then please go to this site: http://www.kaspersky.com/remoteviruschk.html and have these two files checked:
C:\WINDOWS\xplorer.exe
c:\windows\wind32.exe

Please let us know the results. They will tell us if more work needs to be done.
And post a new log when you are done please.

Regards,

Pieter

[ice_princess]

Dear Pieter:

First of all, I deleted all the items that were listed in HijackThis as you recommended. However, this software seems to save the deleted items as backup (?) in the folder where I saved the HijackThis spyware. Should I permanently remove all this items from the folder? Also, the system did not let me remove these two items:
1) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com and 2) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

When I selected to delete those two items, this message appeared:
"An attempt to change Internet Explorer settings have been detected."
"Warning: Your IE homepage has been changed."
"Your internet Explorer local machine homepage has been changed from http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com to about: blank).
Then it asked me a question: "What would you like to do: 1) Restore old value or 2) Keep new value"
I chose 2) Keep new Value, then another pop-up appeared: "New IE default search url value kept <none>. This then resulted in restoring the 2 deleted items.


I did download Spybot-Search & Destroy as you recommended and have removed all the items that were marked red. However, when I finished the check using this spyware, the screen froze up and I could not close Spybot-Search & Destroy window. I ended the window by pressing Ctrl+Alt+Delete and selected "End Task". Otherwise, there was no other way I know of that could close Spybot_Search & Destroy window after running the spyware.

Also, I downloaded lavasoft spyware and scanned the system. I did exactly as instructed and deleted all the checked items. Everything went well with this spyware.

I did visit the link: www.kaspersky.com/remoteviruschk.html to check the last 2 items, and here are the results
1) C:\Windows\xplorer.exe Infected: Backdoor.Delf.em

Statistics:
Known Viruses: 75227 Updated: 8.10.2003
File size (kb): 63 Scan time: 00:00:01
Speed (kb/sec): 64 Virus bodies: 1
Archives: 0 Packed: 0
Folders: 0 Files: 1
Suspicious: 0 Warnings: 0


2) c:\windows\wind32.exe
Known viruses: 75227 Updated: 8.10.2003
File size (kb): 0 Scan time: 00:00:01
Speed (kb/sec): 1 Virus bodies: 0
Archives: 0 Packed: 0
Folders: 0 Files: 0
Suspicious: 0 Warnings: 0

However, when running virus check for this second item, my norton antivirus alert popped up that said:
"Norton Antivirus has detected a virus on your computer"
Object Name: C:\windows\wind32.exe
Virus Name: Backdoor.Optix
Action Taken: Unable to repair this file.



I rescanned with HijackThis and posted the log below.

Thank you very, very much for your help. I truly appreciate the time you've spent helping me.

ice_princess

[ice_princess]

Dear Pieter:

Well, I went ahead and reran HijackThis spyware for your analysis. I post it here for you to take a look:


Logfile of HijackThis v1.96.1
Scan saved at 12:32:33 PM, on 9/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\KMDEVMONSRV.exe
C:\WINDOWS\SYSTEM32\KMdevmonx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 8.0a\aol.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Loan\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DA0673-9F1A-4179-8B48-9645C51777C7}: NameServer = 198.81.20.134

[Pieter_Arntz]

Hi ice_princess,

First download a free trial of TDS3 from here:
http://www.wilders.org/anti_trojans_m.htm
Update as described here:
http://tds.diamondcs.com.au/index.php?page=update
Then start TDS-3 and after the initial scans are done click TDS > Execution Protection > Install
When that is ready click System Testing > Full sytem scan
Delete everything it gives you a positive identification on.

Then go to Add/Remove Software and remove NewDotNet aka New.Net Domains.

Then I´m quite puzzled why you posted a HijackThis log from an older version the second time.
The backups can be discarded as soon as we have your PC in tiptop condition again.

Regards,

Pieter

[ice_princess]

Dear Pieter:

Please reread the first paragraph of my reply#2 above that I repost here:

First of all, I deleted all the items that were listed in HijackThis as you recommended. However, this software seems to save the deleted items as backup (?) in the folder where I saved the HijackThis spyware. Should I permanently remove all this items from the folder? Also, the system did not let me remove these two items:
1) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com and 2) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

When I selected to delete those two items, this message appeared:
"An attempt to change Internet Explorer settings have been detected."
"Warning: Your IE homepage has been changed."
"Your internet Explorer local machine homepage has been changed from http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com to about: blank).
Then it asked me a question: "What would you like to do: 1) Restore old value or 2) Keep new value"
I chose 2) Keep new Value, then another pop-up appeared: "New IE default search url value kept <none>. This then resulted in restoring the 2 deleted items.



Regarding the log, I rescanned it here to make sure that I did not make a mistake of copying the wrong log in my previous message. Sorry!!!! And thank you so much!
Logfile of HijackThis v1.96.1
Scan saved at 1:13:00 PM, on 9/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\KMDEVMONSRV.exe
C:\WINDOWS\SYSTEM32\KMdevmonx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Loan\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB

[Pieter_Arntz]

Hi ice_princess,

Those warnings were from SpywareGuard. Now you know it works.
You can proceed as I recommended in my previous post.

Regards,

Pieter

[ice_princess]

Pietera:

Please help!!! Which version of TDS3 should I download: TDS3v3.2.1 Final or TDS3v.3.2.0 to v3.2.1 updater?

I downloaded version TDS3v3.2.1Final and the update from http://tds.diamondcs.com.au/index.php?page=update, but nothing happened.



In regard to the instruction: "go to Add/Remove Software and remove NewDotNet aka New.Net Domains", are you telling me to use HiJackThis software to track and eliminate these? If so, are these the ones I need to rid of:
1) O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1 (for NewDotNet domain)

2) aka?

3) O10 - Hijacked Internet access by New.Net (for New.Net Domain)

Please respond. Thanks

ice_princess

[LowWaterMark]

Quote:

quoting: ice_princess link=board=34;threadid=14693;start=0#msg92398 date=1065647773]Please help!!! Which version of TDS3 should I download: TDS3v3.2.1 Final or TDS3v.3.2.0 to v3.2.1 updater?

I downloaded version TDS3v3.2.1Final and the update from http://tds.diamondcs.com.au/index.php?page=update, but nothing happened.

Yes, "TDS3 v3.2.1 Final" is the right one.

What do you mean "nothing happened"? After you downloaded the "TDS3 v3.2.1 Final", you double clicked on it to install it, correct? Then you downloaded the update from http://tds.diamondcs.com.au/index.php?page=update doing what it said to do under "Manual Update" right?

Once you've done these two steps, you need to run TDS3 to scan your system. (TDS should have added itself to the Start menu during the installation above.) You want to scan your system with TDS so it can find and remove the infection. Did you try doing a scan with TDS yet?

Quote:

In regard to the instruction: "go to Add/Remove Software and remove NewDotNet aka New.Net Domains", are you telling me to use HiJackThis software to track and eliminate these?

No. He meant to open the "Control Panel", then run the "Add/Remove Programs" option in there... Look in the list of programs it has and double click on any New.Net entries there to deinstall them.

[ice_princess]

Moderators:

Could any of you please help me to properly download TDS software? Because I tried so many times last night and every time after I downloaded the software and tried to run it but kept getting a message that said "my evaluation time is over, I decided to pay for the TDS license. However, even after I paid for the license, I still could not run the software properly. I downloaded the software by going into the address provided by the technical support group of TDS, then I tried to save the registration keyfile in order to run the software under registered mode, but then a pop-up appeared that said: "Can't open the file....blah blah.....must find the program that created it." I then deleted the already downloaded TDS software and tried again, but with no success. I have been trying downloading, deleting, and downloading the software more than 10 times since last night, but I still could not get the software to work. As of right now, I am just very frustrated at my inability. Please help me, people!!! My patience has run out and I reallyyyy need your help. :'(

ice princess

[Pieter_Arntz]

Hi ice_princess,

Copying the keyfile you received into the TDS3 directory (the folder where update.cfg and tds3.exe are) and then restart TDS should be sufficient.
Is that not working for you?

Regards,

Pieter

[ice_princess]

Pieter,

To download TDS, do I choose "Open" to let TDS save into a default folder, or should I choose "Save" to choose my own destination? I am asking this is because after I downloaded TDS in the default folder and then saved the registration keyfile, a pop-up message said "can't open this document......need to know which program created this".

Thanks!!!

[Pieter_Arntz]

Hi ice_princess,

Let's start from the beginning.
1. You already downloaded the tds3setup.exe
You can just save it anywhere, although I like to keep all my setup files in a separate folder.
2. Run that file to install TDS3 and remember the directory you install it to.
3. Then copy the keyfile into the same directory and start TDS3

If anything goes other then expected, let me know what and at what stage exactly.

Regards,

Pieter

[ice_princess]

Pieter:

I already downloaded TDS3setup.exe, clicked on TDS3setup.exe to install it, and saved my registration keyfile to the installed TDS3 file, but then nothing happened after that. How come the software did not start scanning?

Here are the steps that I performed to download the software:
1) I went into this address ( http://tds.diamondcs.com.au/downloads/tds3setup.exe) and downloaded tds3setup.exe. I saved this to the file called: My Documents.
2) After I downloaded tds3setup.exe, I went into My Documents and clicked on the tds3setup icon to install the software then saved it to c:\ProgramFiles and created a folder in it called c:\ProgramFiles\bochet.
3) I went into my email to download and save the Registration KeyFile to c:\ProgramFiles\bochet (as this is the folder that I created for TDS).
4) I went to this site (http://tds.diamondcs.com.au/index.php?page=update) trying to install the updates, but a message popped up asking if I want to replace the existed document. I said no!!!
5) Then what? After all these steps, nothing happened. I did click on the TDS-3 icon on my desktop, but nothing happened. What should I do after step 3 please?

Thank you, Pieter.

ice princess

[Pieter_Arntz]

Hi ice_princess,

Could you see what happens when you doubleclick the file with the TDS icon directly in the folder you created.
In the meantime I will ask one of the TDS moderators to see if they can help.

Regards,

Pieter

[Pilli]

Hello ice_princess,

Hmm, I notice that you saved TDS3 to a non default path :c:\ProgramFiles\bochet This should not make a difference but for ease of troublshooting would you please try the following:
First ensure that you have administrative rights within XP, - Save a copy of your key file to a safe place, then remove the current installation and allow TDS3setup to put TDS3 into the default directory.

Once the installation is completed please ensure that the latest: Radius.TD3 & your Key file: TDS3.KF are placed in the main TDS3 folder.

You should now start TDS3, you may have to wait for a few minutes whist it does the initial scans so while you are waiting right click the right hand end of the Start bar (Notification) area and initiate the menu item called Task Manager - You should pick the tab called "Processes" Under that tab you shoud see TDS3 & its' CPU usage, this will help you see that TDS3 is actually working + any other processes.

Please ensure that you have no other security programmes running whilst doing the re-installation as they may impair a proper install of TDS3

Hope this helps Pilli

[ice_princess]

Pieter:

I tried to do everything that Pilli suggested, but it still does not work

Here are the steps I did:
1) I removed the previously installed TDSsetup and all its components.
2) I redownloaded TDSsetup in the default path (c:\ProgramsFiles\TDS3)
3) I let the software restart my PC
4) I went into my email and saved the Registration Key to a floppy diskette (as Pilli told me to save this in a "safe place")
5) I downloaded the latest Radius.TD3 and saved it to C:\ProgramFiles\TDS3.
6) I then moved the saved Registration Key from my diskette to C:\ProgramsFiles\TDS3
7) Nothing happened after all those steps so I doubleclicked on the TDS icon on my desktop. Still, it did nothing. I then went into C:\ProgramsFiles\TDS3 and doubleclicked on TDS3 icon there, but that did nothing.

What should I do now? Sorry for the inconvenience, but I am totally lost

ice princess

[Pilli]

Hello again ice_princess, After clicking TDS to start did you then check Task Manager as stated above? Was tds shown in the running processes list?

Are you the main user of the PC? How many accounts are there on the PC? Do you have Administrative rights?

Sorry for a lot a of questions but they will help with our troubleshooting

[ice_princess]

Rehi Pilli,

Question 1: After clicking TDS to start did you then check Task Manager as stated above?
Answer:I did not know what you were talking about earlier, but I just figured it out now by pressing Ctrl+Alt+Delete

Question 2: Was tds shown in the running processes list?
Answer: it is showing: tds-3.exe. Mem Usage: 7,204K

Question 3: Are you the main user of the PC?
Answer: I am not sure. But it was my brother's name that got registered for the computer when we bought it.

Question 4: How many accounts are there on the PC?
Answer: 3 accounts: My brother's, mine, and Guest.

Question 5: Do you have Administrative rights?
Anwer: I would assume so since it said: "Computer Adminstrator" next to my log-in name when I went into User Accounts in the Control Panel to check it just now.

Sorry for a lot a of questions but they will help with our troubleshooting <--- nice and white teeth you've got there!!!

To be positively sure, I have rescanned my system with HijackThis and posted my log below for your analysis. Please analyze it and tell me if my system is clean and especially whether or not these two viruses have been effectively eliminated:
1) C:\Windows\xplorer.exe
2) C:\windows\wind32.exe

Thank you so much for all your help, Pilli, Pieter, and LowWaterMark. Without your help, I wouln't be here tonight..... for I would have hit my head with a hammer due to extreme frustration Don't forget to look at my log below!!!!

Logfile of HijackThis v1.96.1
Scan saved at 5:11:28 AM, on 9/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\KMDEVMONSRV.exe
C:\WINDOWS\SYSTEM32\KMdevmonx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
C:\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\TDS3\tds-3.exe
C:\Program Files\America Online 8.0a\aol.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Loan\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: DLExpert (HKLM)
O9 - Extra 'Tools' menuitem: &DLExpert (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DA0673-9F1A-4179-8B48-9645C51777C7}: NameServer = 198.81.20.134

[Pieter_Arntz]

Hi ice_princess,

I wouldn't worry about the Delf.Trojan, but regarding Optix, although I can't find it in the log, I would feel much better if TDS gave you the all clear.

I did solve one mystery I think and that is why TDS expired so quickly.
Looking at the headers from your HijackThis logs your computer is lagging by a month.

Quote:

quoting: ice_princess link=board=34;threadid=14693;start=0#msg92341 date=1065622831]

Scan saved at 7:15:28 AM, on 9/8/2003

Quote:

quoting: ice_princess link=board=34;threadid=14693;start=15#msg92721 date=1065787135]

Scan saved at 5:11:28 AM, on 9/10/2003

Could you adjust your computertime and see if that solves anything?

Regards,

Pieter

[Pilli]

Hi again ice_princess,
If task manager shows TDS3 as running then it must be (No white teeth!) Which makes me wonder why you cannot see it, can you check to see if you have a TDS3 icon in the notification area of the task bar? The reason I ask because ther is a switch in TDS3 that can minimise it to the taskk bar.
How long did you leave TDS3 running? Does TM still show it running?

[ice_princess]

To Pilli:

Question: If task manager shows TDS3 as running then it must be (No white teeth!) Which makes me wonder why you cannot see it, can you check to see if you have a TDS3 icon in the notification area of the task bar?
Answer: No, I do not find the TDS3 icon displaying on my task bar on the bottom of the screen.

Question: How long did you leave TDS3 running?
Answer: Must have been more than one hour now.

Question: Does TM still show it running?
Answer: I just checked back at Windows Task Manager and checked the processes, this is what it reported: "tds3.exe. Mem Usage 7,220K"

Inquiry: If I don't see a task bar displaying TDS3, is there something wrong? If so, what can I do to fix this problem? Thanks.

Ice princess

[ice_princess]

To Pieter:

Yes, you are right. I have been working backward in time for one month. It would be great if this had happened for real Please look at my log below to see if this problem is fixed.

Regarding Optix, I did not get an "all clear" message from TDS. What does this mean? Is TDS software working ok for me or should I do something about it until I get an "all clear" sign?

Thanks,

ice princess

Logfile of HijackThis v1.96.1
Scan saved at 6:02:57 AM, on 10/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\KMDEVMONSRV.exe
C:\WINDOWS\SYSTEM32\KMdevmonx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
C:\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\TDS3\tds-3.exe
C:\Program Files\America Online 8.0a\aol.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Loan\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = C:\Program Files\Panasonic\Multi-Function Station\STATUSMON.EXE
O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: DLExpert (HKLM)
O9 - Extra 'Tools' menuitem: &DLExpert (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DA0673-9F1A-4179-8B48-9645C51777C7}: NameServer = 198.81.20.134

[ice_princess]

Hi again,

Just one question: How, in the world, was my computer infected with not one but 2 viruses: Trojan and Optix? This would help me to better prevent future infection(s). Thanks

Ice princess

[Pieter_Arntz]

Hi ice_princess,

You are up to date now.

We will have to get TDS running and perform a scan to get the "all clear"
I hope Pilli has some more ideas when he comes back.

Maybe you could try and see if it will work in safe mode

Infection could have happened in many ways. Surfing to the wrong site with your security settings too low, can be enough.
If you like TDS enough to buy it, it's about the best protection you can get against trojans.

Both Optix and Delf are trojans, not viruses.

Regards,

Pieter