RapidBlaster

Discussion in 'adware, spyware & hijack cleaning' started by ami, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    I have downloaded Spybot but it can't get this RapidBlaster off my system and as such keeps installing strange daillers and browsers onto my system.
    A friend of mine sent me the link for hijack this. I have attatched the log.


    ----copied the attached log and posted for ease of use - snap


    Logfile of HijackThis v1.98.0
    Scan saved at 05:15:09, on 16/07/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
    C:\WINDOWS\SYSTEM\FPDISP4A.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    C:\WINDOWS\SYSTEM\RPDGSTB.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0001.1004\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WIND.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
    C:\WINDOWS\APPLICATION DATA\OEEO.EXE
    C:\WINDOWS\SYSTEM\WRYXBLX.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\6BRCF5WHWEM.DLL
    O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\SYSTEM\services\2.01.00.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.0001.1004\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [ZeroAdsLAS] C:\Program Files\FBM Software\ZeroAds\LAS0Ads.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    O4 - HKLM\..\Run: [lbsyqyvftcmtt] C:\WINDOWS\SYSTEM\rpdgstb.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0001.1004\en-us\msnappau.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Zeroads] C:\Program Files\FBM Software\ZeroAds\Zeroads.exe
    O4 - HKCU\..\Run: [wind.exe] C:\WINDOWS\SYSTEM\wind.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
    O4 - HKCU\..\Run: [Ttnc] C:\WINDOWS\Application Data\oeeo.exe
    O4 - HKCU\..\Run: [Lgttd] C:\WINDOWS\SYSTEM\wryxblx.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
    O10 - Broken Internet access because of LSP provider 'fbm_lsp.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4326/mcfscan.cab
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.1and1.co.uk/app/static/activex/msxml4.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a2f745d64562:c31e3730b38c174130e1e2729109a237
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = easynet.co.uk
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.135.136.0,195.40.1.36
    O18 - Filter: text/html - {F3C4FB0D-D6BF-11D8-B19A-0001FB8A0BBA} - C:\WINDOWS\SYSTEM\AFDOCGA.DLL
    O18 - Filter: text/plain - {F3C4FB0D-D6BF-11D8-B19A-0001FB8A0BBA} - C:\WINDOWS\SYSTEM\AFDOCGA.DLL
    O19 - User stylesheet: C:\WINDOWS\win32.bmp
     

    Attached Files:

    Last edited by a moderator: Jul 16, 2004
  2. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    By the way I've already tried RapidBlasterKiller but it tells me there are no RapidBlaster components running but I know they are there because things keep popping up every second.
     
  3. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    Hi there, still haven't heard anything about the log I posted. I have tried scanning with other software like Adaware and Avast. I think it's helped but I can't be sure until someone has a look for me. Please I need to get my life back as this seems to take up all of my spare time. Please help. I'm attaching my new log.

    Thanks.

    PS: Can't seem to get the attachment section to load - bummer! Will have to try again later.
    ami
     
  4. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    The problem was with my notepad. I seem to have lost it together with Windows Media Player, solitaire, Freecell and a few others. Anyway I opened the log in WordPad and here it is:

    Logfile of HijackThis v1.98.0
    Scan saved at 07:29:02, on 19/07/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
    C:\WINDOWS\SYSTEM\FPDISP4A.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0001.1004\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WIND.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altatechnology.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msn.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.co.uk
    F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.0001.1004\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0001.1004\en-us\msnappau.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Zeroads] C:\Program Files\FBM Software\ZeroAds\Zeroads.exe
    O4 - HKCU\..\Run: [wind.exe] C:\WINDOWS\SYSTEM\wind.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [Zeroads] C:\Program Files\FBM Software\ZeroAds\Zeroads.exe
    O4 - HKCU\..\RunServices: [wind.exe] C:\WINDOWS\SYSTEM\wind.exe
    O4 - HKCU\..\RunServices: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O10 - Broken Internet access because of LSP provider 'fbm_lsp.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4326/mcfscan.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.1and1.co.uk/app/static/activex/msxml4.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a2f745d64562:c31e3730b38c174130e1e2729109a237
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = easynet.co.uk
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.135.136.0,195.40.1.36
    O19 - User stylesheet: (file missing)
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In Hijack This, check all of the following items, then close all browser windows, and press "Fix Checked":

    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe

    O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    O4 - HKCU\..\Run: [wind.exe] C:\WINDOWS\SYSTEM\wind.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\RunServices: [wind.exe] C:\WINDOWS\SYSTEM\wind.exe
    O4 - HKCU\..\RunServices: [uninstal] regsvr32 /u /s image.dll

    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/...ller/dwnldr.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...0e1e2729109a237

    O19 - User stylesheet: (file missing)



    Now restart your computer, and delete:

    The C:\Program Files\Windupdates folder
    The C:\Windows\System\Wind.exe file

    If you have a WMPLAYER.EXE file in your C:\Windows\Services folder, delete that one as well.

    NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    When done, post a fresh log.

    About your Notepad, do you still have a Notepad.exe file in C:\Windows? If so, could you rightclick it, choose Properties, and post the Version information?
     
  6. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    Hi Tony, Thanks for coming back to me on this. I have been busy with work and had to put this aside for a while. I did as you advised but could not find the C:\Windows\Services folder to check for the WMPLAYER.EXE file. My homepage still keeps reverting to about:blank and at startup, a window comes up to tell me that Ocraware has performed an illegal operation and will be shut down. The only info i got on the Notepad is that it was created on 23 April 1999 and modified 24 May 2004. There's no other info available. Here's my new log and thanks again for your help.

    Logfile of HijackThis v1.98.0
    Scan saved at 07:17:42, on 21/07/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
    C:\WINDOWS\SYSTEM\FPDISP4A.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0001.1004\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FBM SOFTWARE\ZEROADS\ZEROADS.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msn.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
    O2 - BHO: (no name) - {B99E8022-D9DA-11D8-B19B-0001DC30A687} - C:\WINDOWS\SYSTEM\CEADG.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.0001.1004\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0001.1004\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Zeroads] C:\Program Files\FBM Software\ZeroAds\Zeroads.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O10 - Broken Internet access because of LSP provider 'fbm_lsp.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4326/mcfscan.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.1and1.co.uk/app/static/activex/msxml4.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = easynet.co.uk
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.135.136.0,195.40.1.36
    O18 - Filter: text/html - {B99E8021-D9DA-11D8-B19B-00012CE238F0} - C:\WINDOWS\SYSTEM\CEADG.DLL
    O18 - Filter: text/plain - {B99E8021-D9DA-11D8-B19B-00012CE238F0} - C:\WINDOWS\SYSTEM\CEADG.DLL

    Truly grateful,
    ami
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Please do the following, in that exact order:

    Download About:Buster from here

    http://www.downloads.subratam.org/AboutBuster.zip

    Now start your computer in Safe Mode , and have Hijack This fix all of the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {B99E8022-D9DA-11D8-B19B-0001DC30A687} - C:\WINDOWS\SYSTEM\CEADG.DLL

    O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE

    O18 - Filter: text/html - {B99E8021-D9DA-11D8-B19B-00012CE238F0} - C:\WINDOWS\SYSTEM\CEADG.DLL
    O18 - Filter: text/plain - {B99E8021-D9DA-11D8-B19B-00012CE238F0} - C:\WINDOWS\SYSTEM\CEADG.DLL


    Delete the C:\Windows\Ceadg.dll file
    and the Windupdates folder in C:\Program Files.

    Unzip About:Buster to your desktop. Double click it and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report. Reboot normally, post the report and a new Hijack this log here.
     
  8. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    Hi Tony, here's the About:Buster report and my new hijackthis log. I could not find the C:\Windows\Ceadg.dll file. Anytime I try to save the log for hijackthis, a message comes up to say 'The procedure entry point Open Thread could not be located in the dynamic link library KERNEL32.DLL. I suspect it is something to do with notepad. What do you think?

    -- Scan 1 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    Logfile of HijackThis v1.98.0
    Scan saved at 00:17:28, on 22/07/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
    C:\WINDOWS\SYSTEM\FPDISP4A.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0001.1004\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FBM SOFTWARE\ZEROADS\ZEROADS.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.co.uk
    F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.0001.1004\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0001.1004\en-us\msnappau.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Zeroads] C:\Program Files\FBM Software\ZeroAds\Zeroads.exe
    O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [Zeroads] C:\Program Files\FBM Software\ZeroAds\Zeroads.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O10 - Broken Internet access because of LSP provider 'fbm_lsp.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4326/mcfscan.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.1and1.co.uk/app/static/activex/msxml4.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = easynet.co.uk
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.135.136.0,195.40.1.36

    Still grateful,
    ami
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    My bad, Hijack This will already have taken care of Ceadg.dll...

    It's a clean log; you're no longer infected, by the looks of it. :)
    As for Notepad, try extracting a fresh copy from your Windows CD-ROM; you can use System File Checker to do that:

    System File Checker Step by Step

    Tell us whether that makes a difference.
     
  10. ami

    ami Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    7
    Thanks Tony. I'm now a happy bunny :D I'll locate my Windows disk and sort out the notepad. I'll definitely let you know how it goes.

    forever grateful,
    ami
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Good for you! Do keep us posted. :)
     
Thread Status:
Not open for further replies.