No Reponse Since 7-7 Posting

Discussion in 'adware, spyware & hijack cleaning' started by Val-Dan, Jul 14, 2004.

Thread Status:
Not open for further replies.
  1. Val-Dan

    Val-Dan Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    I know you are all busy but I posted this first a week ago. Here is my original posting. I have redone everything again today and run another log which I am putting at the bottom. Please look to see if there is anything I can do to fix this. I don't know what else to do. Thanks.


    July 7th, 2004, 01:51 PM
    Val-Dan Val-Dan is online now
    Junior Member

    Join Date: Jul 2004
    Posts: 1
    Default Please check Hijack This Log
    I have run Adaware, Spybot S&D and CWShredder many times in the last two weeks and this bug just keeps coming back. I had the about:blank web page problem for a long time until someone helped me block that page. Now IE keeps being redirected to MSN upon startup. I have since downloaded Mozilla Firefox and I am using it but the problems still show up in a CWShredder scan. When I run the CWShredder it occasssionally "fixes" cws.searchx but that keeps coming back. My computer is slow, sometimes stopping completely and I keep getting a message that says virtual memory is low. Below is the most recent HijackThis log. Thank you for any help you can give me.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:38:56 PM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\PROMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINNT\notepad.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CD Burning\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/springfield
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [EarthLink Installer] " /C
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/securi...b?1065734229765
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce...bles/ie/IDA.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB



    Today I turned off system restore, ran CWShredder, Adaware, Spybot S&D, rebooted and turned system restore back on. I then ran Hijack this and posted here.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:01:15 PM, on 7/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\PROMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\Downloads-Security\HijackThis7-14.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [EarthLink Installer] " /C
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065734229765
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB



    Please tell me if there is something else I can do to get rid of this mess. Thanks.

    Valeri
     
  2. Val-Dan

    Val-Dan Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    Help!!! Now my Norton Utilities is alerting me that I have "Backdoor.Trojan" and it can't be fixed. When I booted up my computer today it took more than 10 minutes due to the virtual memory problem. While working on a newletter in MS Publisher the last couple of days sometimes my computer shuts down in the middle of my project. It also can't find my document when I go to look for it about half the time and when it can find it, it sometimes can only open it in Safe mode. I have no idea what any of this means but my problems are getting worse and worse. Please someone help! I am afraid I am about to loose everything on my computer!

    Valeri
     
  3. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Not much is jumping out at me from your log.

    Run this online virus scan and let me know the results:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    There is an autofix check box to check before you scan.

    I would also like to take a look at something that may look funny to you but maybe it will show us a hidden dll:

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt, do a search for it if it doesn't show up on your desktop.
    Copy and paste that log here.
     
  4. Val-Dan

    Val-Dan Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    I ran the Virus Scan and nothing showed up. I found a reference to Panda ActiveScan on another Thread yesterday and ran it. It showed I had Exploit/iFrame virus which it couldn't fix and StartPage.FH virus which it could fix.

    My Norton is still showing this alert:
    Norton AntiVirus has detected a virus on your computer.
    C:\WINNT\System32\winp.dll
    Virus Name: Backdoor.Trojan
    Action Taken: Unable to repair this file.
    Action Taken: Access to file was denied.

    Everything I click on OK it keeps repeating itself, continuously!

    I have done everything else you said and here is the log:

    regf        L *"  @ - ·ß    *"  - ·ß   H *"   0 cß *"   . ·ß   +@    þå 3 ·ß   0     4æ 3 ·ß   <      Næ 3 ·ß + °ß   0@    pæ 3 ·ß         ¦æ 3 ·ß > p M8L"  # *  # - éá  äå 3 éá     ^Gå¸ hbin  °1úw\*úwøÃõwpEúw”(úw¨ÿÿÿnk, º¥ªˆiVÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ ð x ÿÿÿÿ 0 6 , \  Windows ÿÿÿskçwx x  Ô  „¸ È   ¤       !  €  !  ?          ?               ¥‹ËƒØÿÿÿvk 6    fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N N T \ S y s t e m 3 2 \ w i n p . d l l { a t  h Ðÿÿÿvk     ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €'   zGDIProcessHandleQuota"þàÿÿÿvk  x   °ºSpooler2ðÿÿÿy e s
    Ñ_å h Ø ( X  àÿÿÿvk  €   5swapdiskÐÿÿÿvk     . TransmissionRetryTimeoutàÿÿÿh Ø ( X  À  Ðÿÿÿvk  €'   a USERProcessHandleQuotac À [ÉQÃU‹ìƒìLE´Pÿu ÿuèC …Àt;‹EV·uØÀFF;Æ‚š j VÿuÿuÜÿuÿ¬¿v…Àt·EØ@@;ðuNN‹ÆÑè^É U‹ìƒì W3ÿWjEàPWÿuÿH¿v;ÇŒ+ 9} ‹EäSV‹5¬¿v‹ØtnWjEøPƒÃ SÿuÿÖ…Àtr‹Eø;Ç„ WXjEüPSÿuÿÖ…ÀtS‹Eü;Äð WjLÿuƒÀøPÿuÿÖ…Àt5‹E‹H;M t‹@‰EüëÒ3À@^[_É WjM QƒÀPÿuÿÖ…À…zÿÿÿ3ÀëÝÿÿÿÿ¿v’¿vÿÿÿÿ©¿vº¿vSV‹D$ Àu‹L$‹D$3Ò÷ñ‹Ø‹D$ ÷ñ‹ÓëA‹È‹\$‹T$‹D$ ÑéÑÛÑêÑØ Éuô÷ó‹ð÷d$‹È‹D$÷æÑr;T$wr:D$ vN3Ò‹Æ^[ U‹ìƒìSVWUü‹] ‹E÷@ uw‰Eø‹E‰EüEø‰Cü‹s ‹{ƒþÿtV vƒ| t:VUkÿT]^‹] Àt(x1‹{SèS ƒÄkVSèˆ ƒÄ v‹‰C ÿT‹{ v‹4문 ë¸ ëUkjÿSèS ƒÄ]¸ ]_^[‹å]ÃU‹ìSVWUj j h¦¿vÿuè° ]_^[‹å]ËL$÷A ¸ t‹D$‹T$‰¸ ÃSVW‹D$Pjþh®¿vdÿ5 d‰% ‹D$ ‹X‹p ƒþÿt ;t$$t4v‹ ³‰L$‰H ƒ|³ u×ÿT³ëÑd ƒÄ _^[ÃPÿT¿vPÿ\¿v3ÀéêûÿÿSÿ´¿vVÿT¿vPë Sÿ´¿vjÿ\¿véÊûÿÿPëSÿ´¿vVÿT¿vPÿ\¿vé²üÿÿ‹Eì‹ ‹ ‰…¼þÿÿ3À@ËeèÿµÀþÿÿÿ´¿vÿµ¼þÿÿë&‹Eì‹ ‹ ‰…¸þÿÿ3À@ËeèÿµÀþÿÿÿ´¿vÿµ¸þÿÿÿT¿vPÿ\¿vƒMüÿéNüÿÿ‹EélúÿÿPÿT¿vPÿ\¿v3Àé;ýÿÿjÿ\¿véKýÿÿ‹ðé_üÿÿèõ è| éÏùÿÿè" éÅùÿÿU‹ìì …äþÿÿPÿuè1úÿÿ…ÀtC… ÿÿÿHŠ@„Òuù+ÁP9U‹Âs‹ESVW‹} ‹È‹ÙÁéµ ÿÿÿó¥‹Ëƒá;Âó¤_^[uHÉ SW‹|$Wj ÿ¸¿v‹Ø…Ût:VWSÿt$è|ÿÿÿ‹ð…öt;÷sFWÿt$PSj j ÿÀ¿v…Àu3öSÿ´¿v‹Æ^_[ SW‹|$Wj ÿ¸¿v‹Ø…Ût:VWSÿt$è ùÿÿ‹ð…öt;÷sFWÿt$PSj j ÿÀ¿v…Àu3öSÿ´¿v‹Æ^_[ U‹ìì E Ph …ðýÿÿPjÿu ÿuÿL¿v…À}PÿT¿vPÿ\¿v3Àë;·•òýÿÿ‹MÉ‹Â;Ès‹ÁSV‹µôýÿÿW‹}‹È‹ÙÁéó¥‹Ëƒá;Âó¤_^[uHHÑèÉ U‹ìSV‹uW6P3ÿWÿ¸¿v‹Ø;ßu3Àë6VSÿu ÿuèWÿÿÿ;ƉEs@WWVÿuPSWWÿ°¿v…Àu‰}Sÿ´¿v‹E_^[] h„ hx9¿vèùÿÿ3ÛSjEÐPSÿuÿH¿v;Ã}PÿT¿vPÿ\¿véï SjEÌP‹EÔƒÀ Pÿu‹5¬¿vÿÖ…À„Î ‹ẼÀ‰EÈSjMÄQPÿuÿÖ…À„° ‹}Áï‰]À‹EÄ;EÈt]ƒÀøSjLtÿÿÿQPÿuÿÖ…À„„ 9}Às‰]ü‹EŒ‹M ‹UÀ‰‘ƒMüÿÿEÀ‹…|ÿÿÿ‰EÄ뺋Eì‹ ‹ ‰…pÿÿÿ3À@Ëeèÿµpÿÿÿë13À@‰Eü‹MÀÁá‹U‰
    ƒMüÿë-‹Eì‹ ‹ ‰…lÿÿÿ3À@ËeèÿµlÿÿÿÿT¿vPÿ\¿vƒMüÿ3Àèõøÿÿ U‹ìSV‹u6P3ÛSÿ¸¿v;ÉEu3Àë;WVPÿu ÿuèÕøÿÿ‹ø;þsGSSVÿuPÿuSSÿ°¿v…Àu3ÿÿuÿ´¿v‹Ç_^[] U‹ìƒìLE´Pÿu ÿuèåøÿÿ…Àt9‹EV·uàÀFF;Æs‹ðj Vÿuÿuäÿuÿ¬¿v…Àt·Eà@@;ðuNN‹ÆÑè^É U‹ìSV‹u6P3ÛSÿ¸¿v;ÉEu3Àë;WVPÿu ÿuè|ÿÿÿ‹ø;þsGSSVÿuPÿuSSÿ°¿v…Àu3ÿÿuÿ´¿v‹Ç_^[] jdh9¿vèÉöÿÿƒ} s
    jzÿ\¿vë^EœP‹u Vÿuèøÿÿ…ÀtJ‰u‹E¼‰E”‹E¸‰E˜ƒeü u‹}¥¥¥ƒMüÿ3À@ë'‹Eì‹ ‹ ‰EŒ3À@ËeèÿuŒÿT¿vPÿ\¿vƒMüÿ3ÀèY÷ÿÿ U‹ìƒìDE¼Pÿ¨¿vj j EàPjÿuÿH¿v…À|$ƒMèÿƒMìÿj EàPjÿuÿDPÿT¿vPÿ\¿v3Àë3À@É j ÿt$ÿt$jj ÿt$ÿL¿v…À}PÿT¿vPÿ\¿v3Àë3À@ U‹ìQQ3ÀPPÿuMøÿu QPPPÿuÿ@¿vÉ U‹ì¸lú è§ SV‹5P¿v3ÛSj,E”PSÿÖ;ÉEüŒA 8AP¿vWt2EÐPh ú …”ÿÿPj ÿÖ;ÉEü» Phü:¿vèO AP¿vYY‹}Ø‹Eœ£˜d¿vd¡ ‹@0‰EÀ‹@ ‹@‰EÌ‹EÀ‹@ ‹M̃À;È„à Aø‹X‹ p,‹@ h  j ‰M̉EØÿŒ¿vPÿ¿v…À‰Eä„' ·QÿvMøQh  Pÿ$¿v‹Uø‹Mä€$
    …À‰Eü„: Qj ÿŒ¿vPÿ”¿véxÿÿÿ‹5(¿v…”ÿÿ‰EÈEõPSjj ½˜ÿÿ‰]ÔÿÖ…À» |;Ãu
    PhÄ:¿vèd YYEöPj jjÿÖ…À‰Eü|;Ã…ÿÿÿÿuüh:¿vè: YYéïþÿÿ€=AP¿v „< ‹EÔ‹MÈ;ƒ. ·GD8Pÿ˜¿v@P j ‰EĉMÜÿŒ¿v‹5¿vPÿÖ…À‰Eä„) ·OL9QPÿœ¿v‹G ‹_‰EØ‹E܃ÀPj ÿŒ¿vPÿÖ‹ð…ö„ô ÿuÄF‰F·OL9QMøQÿuÜPÿ,¿vf‹Eø‹MäÇ ÿEÔf‰¡<P¿v€e÷ ƒeø …Àv+ÇEäèl¿v‰E܉Eø‹Uä;uÆE÷ƒEä4ÿMÜuì€}÷ …þÿÿkÀ4‰˜èl¿v‰° m¿v‰ˆm¿v‹M؉ˆôl¿v‹50¿vƒeè ‰˜ðl¿vÇ€m¿v ‹Á‹
    0P¿vÁàÓèj» 0 SƒÀ‰EàEàPj EèPjÿÿÖ…À‰EüŒ  ¡<P¿v‹MèkÀ4‹0P¿v‰ˆøl¿v‹Màjÿÿ5DP¿v‰ˆ m¿vˆm¿v‰ÿ° m¿vÿ°øl¿vRÿ°ôl¿vÿ°ðl¿v€àl¿vjÿPÿ4¿v…À‰Eü…Ì 8LP¿vtj!EèjSEàPj EèPjÿÿÖ‹ð…öŒ¼

    Is there anything else I need to do?

    BTW, I am certainly not happy with Norton AV. Is something else better? What about the Micro-Trend you suggested or the Panda AV? I don't want this to come back if I can ever get rid of it!

    Valeri
     
  5. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I found a hidden dll we need to get rid of, which by the way is what Norton is picking up. But first I need some info.

    Do you have XP home or pro?

    Is your file system NTFS or Fat32? To check this out just go to Start>My Computer and highlight your C: drive and right click on it. Select properties and a box will pop up. That will tell you what file system you have.

    As far as your question, this is my opinion only, I like TrendMicro. Most do a pretty good job, just need to keep it updated and do it often.
     
  6. Val-Dan

    Val-Dan Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    I have XP Home and the file system is NTFS. Is there something I can do about the Backdoor Trojan?

    As far as the AV - My Norton is supposed to be doing continuous updates but things are getting in. I am considering Panda or Trend Micro Internet Security. Trend Micro says it will also protect my PDA plus it also has Automatic updates, so that is why I was asking around. A friend is the Webmaster for the local library system and she says that they just went to Trend Micro for their system.

    Thanks!
     
  7. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    No matter what AV you have, expect things to get through. None of them are fool proof. In fact, there are things out there that will disable your AV. Just be careful where you go and what you download.

    Ok, now we continue. I don't know if you have CWShredder installed but if not, download it from here. You will run it later:
    Download CWShredder

    Copy the contents in this quote box into NotePad and name it hiving.bat and save it on your desktop.

    Code:
    @echo off 
    Echo Working
    
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
    If ERRORLEVEL==1 GoTo End  
     GoTo DOIT
    :End
    
     echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
    Wscript.exe not.vbs
    del not.vbs
    Exit
    
    :DOIT
    If exist backup.hiv del  backup.hiv
    If exist f.hiv del f.hiv
    
    reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
    :one
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    if not exist backup.hiv goto one
    
    Reg Delete  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f
    
    
    Reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
    :Notthere
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
    IF ERRORLEVEL ==1 Go to Notthere
    
    reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv
    
    :two
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls 
    IF ERRORLEVEL==1   GOTO two
    
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
    :appy
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
    If Not ERRORLEVEL==1   GOTO appy
    
    Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
    :three
    
    PING 1.1.1.1 -n 4 -w 1000 >NUL
    if not exist f.hiv GOTO three
    
    Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f
    
    Reg Add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    :four
    
    PING 1.1.1.1 -n 1 -w 1000 >NUL
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    If ERRORLEVEL==1 GOTO  four
    
    :five
    
    
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
    Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
    If ErrorLevel==1  GOTO five
    
    If exist f.hiv ren f.hiv fbackup.hiv
    
    Echo > finished.vbs MsgBox "Done"
    Wscript.exe finished.vbs
    del finished.vbs
    Double click on hiving.bat. Reboot your computer.

    You run Home and so you will restart into Safe mode.

    Restart into Safe mode and find this file:
    C:\WINNT\System32\winp.dll

    Use the security tab on winp.dll and take ownership.
    Change the 'everyone special' to
    'you> with Admin rights-> FULL control
    Then try to delete it, if that fails try to rename
    it first to different name+ext.
    Example:
    log.dll>bleh.txt
    bleh.txt > badfile.111

    Once you have successfully deleted the file restart into Regular Windows mode.

    Extract and Run CWShredder immediately.
    Press the fix button to clean, not scan.

    Restart and run hijackThis again.

    Post your new log here in your next reply.

    Also please create a new Windows.txt and attach it so we can doublecheck.
     
  8. Val-Dan

    Val-Dan Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    Sorry, I am a novice at this. I did everything before this section and found this file - winp.dll. I can do the things after this section but I need more explanation of this part of your directions:

    Use the security tab on winp.dll and take ownership.
    Change the 'everyone special' to
    'you> with Admin rights-> FULL control
    Then try to delete it, if that fails try to rename
    it first to different name+ext.
    Example:
    log.dll>bleh.txt
    bleh.txt > badfile.111

    Sorry. Thanks for your help.
     
  9. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    No problem. First thing first, you need to boot your computer into Safe Mode or you will not get the security tab on the file.

    So boot into safe mode and find that file winp.dll. Right click on the file and choose properties. Now click on the security tab. Next, click on the advanced tab and then the owner tab. Select
    you> with Admin rights-> FULL control. Go to the permsissions tab and check that you have full control, if not you can edit that.

    Now close the properties box. Right click on the file again and this time choose rename. Rename it something like bleh.txt and then after it is renamed, right click on it again and try to delete it. You may need to do the renaming part again, if so, try another name and extention.

    Once you have successfully deleted the file restart into Regular Windows mode.

    Extract and Run CWShredder immediately.
    Press the fix button to clean, not scan.

    Restart and run hijackThis again.

    Post your new log here in your next reply.

    Also please create a new Windows.txt and attach it so we can doublecheck.
     
  10. Val-Dan

    Val-Dan Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    Here is the new HijackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:13:35 PM, on 7/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\PROMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Downloads-Security\HijackThis7-14.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iconusersgroup.org/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [EarthLink Installer] " /C
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065734229765
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    From Windows.txt:

    regf       l l  s y s t e m  s y s t e m . d r v (  s y s t r a y . e x e c a d (  t 2 e m b e d . d l l c b c (  T A B C T L 3 2 . O C X c o  t a p i . d l l o d  t a p i 3 . d l l  t a p i 3 2 . d l l (  t a p i p e r f . d l l S E (  t a p i s r v . d l l l . d  t a p i u i . d l l ( \u[f hbin  3 3 2 . D L L p o ÿÿÿnk, Ø¥žžqÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 6 , \  Windowsows vk ÿÿÿsk € €  Ô  „¸ È   ¤       !  €  !  ?          ?               Ðÿÿÿvk     ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  p Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk     °ºSpooler2ðÿÿÿy e s
    Ñ_åàÿÿÿvk  €   5swapdisk p ¸ ø ( ` Ðÿÿÿvk  è   . TransmissionRetryTimeoutÐÿÿÿvk  €'   a USERProcessHandleQuotac àÿÿÿp ¸ ø ( `  v s
    n f i g . x m l  v s d a t a . d l l (  v s d a t a n t . s y s (  V S F L E X 3 . O C X p s  v s i n i t . d l l (  v s m o n a p i . d l l p s (  V S P R I N T 7 . o c x p s (  v s p u b a p i . d l l p s (  v s r e g e x p . d l l p s (  v s s a d m i n . e x e p s  v s s a p i . d l l  v s s v c . e x e  v s s _ p s . d l l  v s u t i l . d l l  v s x m l . d l l d (  w 3 2 t i m e . d l l H . A  w 3 2 t m . e x e G (  w 3 2 t o p l . d l l v b s (  w 9 5 i n f 1 6 . d l l (  w 9 5 i n f 3 2 . d l l d l (  w a t c h d o g . s y s e s (  w a v e m s p . d l l p s r (  w b c a c h e . d e u f . d (  w b c a c h e . e n u l (  w b c a c h e . e s n (  w b c a c h e . f r a (  w b c a c h e . i t a (  w b c a c h e . n l d q d (  w b c a c h e . s v e d . d (  w b d b a s e . d e u l l L (  w b d b a s e . e n u l i g (  w b d b a s e . e s n (  w b d b a s e . f r a (  w b d b a s e . i t a (  w b d b a s e . n l d (  w b d b a s e . s v e   w b e m l l (  w d i g e s t . d l l  w d l . t r m  w d m a u d . d r v (  w e b c h e c k . d l l (  w e b c l n t . d l l (  w e b f l d r s . m s i (  w e b h i t s . d l l o c x (  W E B P O S T . D L L s i c  w e b v w . d l l t (  w e x t r a c t . e x e e V  w f w n e t . d r v (  w i a a c m g r . e x e Q _ (  w i a d e f u i . d l l Q _  w i a d s s . d l l  w i a s c r . d l l (  w i a s e r v c . d l l  w i a s f . a x r a (  w i a s h e x t . d l l r a (  w i a v i d e o . d l l r a (  w i a v u s d . d l l r a (  w i f e m a n . d l l r a  w i n . c o m  w i n 3 2 k . s y s (  w i n 3 2 s p l . d l l (  w i n 8 7 e m . d l l (  w i n b r a n d . d l l (  w i n c h a t . e x e r a 8 * W i n d o w s L o g o n . m a n i f e s t x  w i n f a x . d l l  W I N G 3 2 . D L L (  w i n h e l p . h l p e . e (  w i n h l p 3 2 . e x e l l (  w i n h t t p . d l l (  W I N I N E T . D L L (  w i n i p s e c . d l l r a (  w i n l o g o n . e x e r a (  w i n m i n e . e x e d y c  w i n m m . d l l c  w i n m s d . e x e  w i n n l s . d l l (  w i n n t b b u . d l l (  w i n o l d a p . m o d  w i n r n r . d l l   w i n s l i (  w i n s c a r d . d l l d . (  w i n s o c k . d l l d l l (  w i n s p o o l . d r v (  w i n s p o o l . e x e  w i n s r v . d l l  w i n s t a . d l l (  w i n s t r m . d l l x e S (  w i n t r u s t . d l l  w i n v e r . e x e


    Is this what you need?

    The Norton Alert Window is gone and my computer boots up faster and runs smoother than it has in a long time. Thank you, thank you, thank you!
     
  11. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Glad to hear things are better. It looks like the hidden dll is gone and that is great. Log looks good.

    Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Happy Surfing!
     
Thread Status:
Not open for further replies.