MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: ActiveX Infestation - Unable to Remove
July 20, 2019, 04:37:17 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
July 20, 2019, 04:37:17 AM

Login with username, password and session length
 
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: ActiveX Infestation - Unable to Remove  (Read 2752 times)
maisond
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« on: July 27, 2005, 07:18:42 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:


Help!  We simply cannot get rid of this.  Spybot lists it as malware from Netster.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

Nor can we get rid of these two unknowns:

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -

We've followed John Vicker's suggestions (except for TrendMicro which requires MSIE & Java) and some of the other suggestions here, but these three keep coming back every reboot.  We'd gratefully appreciate help in getting our system cleaned out.
======================================================
Logfile of HijackThis v1.99.1
Scan saved at 2:06:32 PM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FreeSnap\FreeSnap.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wscntfy.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Miscellaneous Software\z.charles\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Start FreeSnap.lnk = C:\Program Files\FreeSnap\FreeSnap.exe
O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Start FreeSnap.lnk = C:\Program Files\FreeSnap\FreeSnap.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120502027046
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
=======================================================================================
---The following is reported by Spybot:

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
          DPF name: Microsoft XML Parser for Java
        CLSID name:
       description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\xmldso.cab
         info link:
       info source: Patrick M. Kolla

{0E5F0222-96B9-11D3-8997-00104BD12D94} ()
          DPF name:
        CLSID name:
       description: Gateway tools
    classification: Unknown
    known filename: PCPITSTOP.DLL
         info link:
       info source: Patrick M. Kolla

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
          DPF name:
        CLSID name: Windows Genuine Advantage Validation Tool
              Path: C:\WINNT\system32\
         Long name: LegitCheckControl.DLL
        Short name:       LEGITC~1.DLL
    Date (created): 6/17/2005 11:40:36 AM
Date (last access): 7/25/2005 7:23:14 PM
 Date (last write): 6/17/2005 11:40:36 AM
          Filesize:             459528
        Attributes:           archive
               MD5: 7892B1E00FB5D0C311800C164F28748A
             CRC32:           E7635C5F
           Version:            0.1.0.2

{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class)
          DPF name:
        CLSID name: MSSecurityAdvisor Class
              Path: C:\WINNT\System32\
         Long name:       mssecadv.dll
        Short name:                  
    Date (created): 9/8/2003 11:30:46 AM
Date (last access): 7/22/2005 6:06:24 PM
 Date (last write): 9/8/2003 11:30:46 AM
          Filesize:              36960
        Attributes:           archive
               MD5: A4282FD762CE1C4FFA665538E335CFF0
             CRC32:           51ECFB75
           Version:            0.5.0.4

--NOTE that HJT does not list this one.---
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
          DPF name:
        CLSID name: Office Update Installation Engine
              Path:          C:\WINNT\
         Long name:           opuc.dll
        Short name:                  
    Date (created): 8/27/2003 5:10:30 AM
Date (last access): 7/25/2005 7:23:06 PM
 Date (last write): 1/18/2005 2:07:18 AM
          Filesize:             326656
        Attributes:           archive
               MD5: 20393D64F69F26361A97FD9AFB3C9243
             CRC32:           0B4DBA7F
           Version:           0.11.0.0

{56336BCB-3D8A-11D6-A00B-0050DA18DE71} ()
          DPF name:
        CLSID name:
       description: Netster
    classification: Confirmed as malware
    known filename:
         info link:
       info source:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
          DPF name:
        CLSID name: MUWebControl Class
              Path: C:\WINNT\system32\
         Long name:          muweb.dll
        Short name:                  
    Date (created): 5/26/2005 4:19:32 AM
Date (last access): 7/25/2005 7:22:54 PM
 Date (last write): 5/26/2005 4:19:32 AM
          Filesize:             178408
        Attributes:           archive
               MD5: EE37AA2C0700221CD8B02FADCD4C7FB5
             CRC32:           F5494B06
           Version:            0.5.0.8

{739E8D90-2F4C-43AD-A1B8-66C356FCEA35} ()
          DPF name:
        CLSID name:

{99CDFD87-F97A-42E1-9C13-D18220D90AD1} ()
          DPF name:
        CLSID name:

{D27CDB6E-AE6D-11CF-96B8-444553540000} ()
          DPF name:
        CLSID name:
       description: Macromedia Shockwave Flash Player
    classification: Legitimate
    known filename:
         info link:
       info source: Patrick M. Kolla
======================================================
« Last Edit: July 27, 2005, 07:23:02 PM by maisond » Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #1 on: July 28, 2005, 02:57:41 PM »

Hello and Welcome to MyTechSupport.ca

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.


Download / Install / Update / and Run:
Adaware SE check for any updates before running it.
Get the plug-in for fixing VX2 variants. You can download it at this SITE
 To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.


Scan your pc with one of these free online scanners:
Panda ActiveScan
RAV AntiVirus
Housecall.  Be sure to put a check the box beside AutoClean.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.  Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.

Download Ewido Security Suite
Update it
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
maisond
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #2 on: July 29, 2005, 01:01:41 AM »

Dear GG,
before we start the procedure--in the morning--is freesnap malware?  It was touted very recently in, I think, PC magazine.  It's at http://blueonion.home.comcast.net/ and google lists several other sources.  

It's the only thing we've found that does exactly what we want, to move and sticky open our windows in the bottom right corner.

But we'll give it up if necessary.  Thanks!
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #3 on: July 29, 2005, 02:10:28 AM »

Ok I did some more searching, when I originally checked on Google I typed in freesnap.exe and go absolutely no hits making me belieive it was a unknown exe. I did type in freesnap and got some hits and I think it is ok to keep Grin
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
maisond
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #4 on: July 29, 2005, 02:33:24 PM »

Dear GeekGirl,
The Adaware SE with VX2 reported system clean.

Now we can't get any of the three anti-virus scanners to work for us.  We switched back to MSIE and set the IE options security tab to allow ActiveX--using the Housecall FAQ settings for ActiveX.  The details are:
Panda- Blank page with Done at the left bottom;
RAV- Done, but with errors on page, and no place to click to continue;
Housecall- Error on page and no place to click.

We've also turned off Spybot's locking of the IE options from within MSIE.

We have on our system updated Avast!, AVG, Spybot, and Spy Sweeper.  Would any of these be acceptable subsitutes?

Thank you.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #5 on: July 29, 2005, 02:37:46 PM »

AVG would work and I really dont think you ahve a virus/worm but it never hurts to scan using an online scanner.

You really shouldnt have 2 anti-virus programs running onthe same system it may cause conflicts

Go through with the HJT fix I laid out for you
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
maisond
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #6 on: July 29, 2005, 09:47:29 PM »

Dear GeekGirl,

We've carefully followed your instructions, details available if you need them.  BUT--what happens is that the three 16 DPFs go away until--the only change made--teatimer is checked back on.  Then they're back.  

Also, every time we lock the host file through Spybot, it gets unchecked.

Two HJT logs follow.  The first is after rebooting after following your instructions, the second is after--only--turning teatimer back on.
==================================================================
Teatimer OFF

Logfile of HijackThis v1.99.1
Scan saved at 5:26:56 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Miscellaneous Software\z.charles\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120502027046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
==================================================================
Teatimer OFF

Logfile of HijackThis v1.99.1
Scan saved at 5:29:29 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Miscellaneous Software\z.charles\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120502027046
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
==================================================================
[btwz: onez of uz droolz!]
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #7 on: July 30, 2005, 03:28:10 PM »

I apologize for not pointing this out earlier, you need to disable tea timer before you do the fixes in HJT. Disable tea timer and have HJT fix these. Thats all thats left

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
  O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
maisond
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #8 on: July 30, 2005, 10:14:54 PM »

Dear GG,  We did follow your instructions carefully, including turning teatimer off.  What we are saying is that after completing the instructions and rebooting normally and running HJT with teatimer still off, the 16 DPFs do not show up.  Then, turning teatimer back on--no other changes anywhere--and immediately running HJT again, the DPFs are back.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #9 on: July 31, 2005, 07:36:38 PM »

Im affraid you will need to enter the registry and delete it manually. You can also use a program like  Reglite  to find these keys....take ownership of the folder/key and delete it. Some of these CLSID folders from the bad guys...change the folder/key permissions so you'll need to make sure the user has FULL access and FULL permissions...to remove these keys.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
maisond
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #10 on: August 03, 2005, 09:01:34 PM »

Dear GeekGirl,  Well, we finally got the sucker.  After following your instructions it would seem gone, but on reboot and turning teatimer back on, it would reappear.  It would also turn the hosts file protection off in Spybot.

Using search, entering 56333BCB- in the word or phrase box, turning on looking in system folders, hidden files and folders, and subfolders, one of the places it showed up was in a Spybot snapshot .reg file.  Looking in there, there was a date associated with it.  

Searching for all files modified on that date, we found that we had installed a program on that date.  Extirpating it was the solution; it's gone now.  

Thank you for your expertise and help!
========================================
For cleaning the XP registry, we heartily recommend RegScrubXP from http://www.lexundesigns.com/

Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #11 on: August 04, 2005, 12:46:50 AM »

YAAAHHH !!! Grin
Thank you for keeping me updated on your progress.

It would probably be a good idea to set a "new" system restore point.

Follow these instructions:

Turn off System Restore by doing the following:

Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Then you can go head and Enable again.


To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial Anti-Spyware Tutorial and use the tools provided.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 16, 2017, 03:06:21 PM