Luke_Y
Second Unit
- Joined
- Aug 20, 2001
- Messages
- 424
Need some help with a continuing virus/spyware problem.
OK where to start... Over the last month or so I have had reoccurring problems, every time I think I have it all cleaned up it comes back after a day or so. It starts with either a browser homepage hijack to "QuickMetaSearch.com", the instalation of a "Zero Catagory" (0CAT) tool bar on Internet Explorer, or an AVG warning that a virus was found.
Most commonly the virus is " Prvdi1.exe " which AVG lists as "Trojan Horse Dropper.small.9.BV". Sometimes it is "dload.exe" "Downloader.small.bu" It is usualy first reported in C:docs&settingsuserlocalsettingstemp.
AVG deletes it fine. When I go to the folder I also find StHP.exe, & 0cyp.exe So I delete those as well. I then go looking around and find a "STHomePage" folder and a "0CatYellowPages" folder in; C;ProgramFiles. I delete those folders. I go looking in C:WindowsSystem32 and sometimes find dload.exe or prvdi.exe there and delete those as well.
I look in add remove programs and remove "0Cat Yellow Pages 1.0" and it says it was successfully removed, and then a browser window opens going to 0cat.com I quickly close it, but when I went back to cdocsandsettuserlocalsettemp there was a new file "A~NSISU_.exe... deleted that. Back in cprograms the ST Homepage folder was back as well...deleted that.
OK so back in AddRemove programs I didn't recognize a program called LinksHelper 1.0 and tried to remove it. An error said it could not be found possibly already removed.
Next I run HijackThis and have it fix everything I know should not be there. Here is the log with *** in front of the the things I fixed.
Logfile of HijackThis v1.99.0
Scan saved at 6:25:20 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSSystem32gearsec.exe
C:WINDOWSsystem32driversKodakCCS.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
C:WINDOWSSystem32MsPMSPSv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32svchost.exe
C:WINDOWSBCMSMMSG.exe
Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32DSentry.exe
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
Crogram FilesiTunesiTunesHelper.exe
Crogram FilesJavaj2re1.4.2_04binjusched.exe
Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe
CROGRA~1GrisoftAVGFRE~1avgcc.exe
Crogram FilesiPodbiniPodService.exe
C:WINDOWSsystem32cidaemon.exe
C:WINDOWSsystem32cidaemon.exe
Crogram FileshijackthisHijackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
***R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://quickmetasearch.com/?said=acc0002_ho
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyServer = http://portal.uky.edu/proxy.pac:80
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = http://adobeols.ofoto.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
***O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - Crogram FilesSTHomePageSTHomePage2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - CROGRA~1SPYBOT~1SDHelper.dll
***O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - Crogram FilesCAT YellowPagesSTIEbar2.dll
***O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - Crogram FilesCAT YellowPagesSTIEbar2.dll
O4 - HKLM..Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..Run: [ATIPTA] Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [AdaptecDirectCD] "Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe"
O4 - HKLM..Run: [DwlClient] Crogram FilesCommon FilesDellEUSWSupport.exe
O4 - HKLM..Run: [mmtask] Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [iTunesHelper] Crogram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavaj2re1.4.2_04binjusched.exe
O4 - HKLM..Run: [ISUSPM Startup] CROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [AVG7_CC] CROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = Crogram FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: &Copy Location - C:WINDOWSWEBgraburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
***O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - Crogram FilesCAT YellowPagesSTIEbar2.dll
***O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - Crogram FilesCAT YellowPagesSTIEbar2.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:WINDOWSsystem32oline.dll
O15 - Trusted Zone: *.bankone.com
O15 - Trusted Zone: *.uky.edu
O15 - Trusted Zone: *.weather.com
O15 - Trusted Zone: *.windowsupdate.com
O23 - Service: Adobe Active File Monitor - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:WINDOWSSYSTEM32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:WINDOWSSystem32gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - Crogram FilesiPodbiniPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - Crogram FilesIntelNCSSyncNetSvc.exe
O23 - Service: Photoshop Elements Device Connect - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
I then ran SPYBOT, found and fixed "7Fasst" (Browser Hijacker).
AdAware- nothing, CW Shredder- nothing, and an AVG full scan- nothing. So restart system and check my browser- OK no toolbar and MSN homepage. Run Hijack this and get a result I think is clean:
Logfile of HijackThis v1.99.0
Scan saved at 7:54:00 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSBCMSMMSG.exe
Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32DSentry.exe
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe
Crogram FilesCommon FilesDellEUSWSupport.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
Crogram FilesiTunesiTunesHelper.exe
Crogram FilesJavaj2re1.4.2_04binjusched.exe
Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe
CROGRA~1GrisoftAVGFRE~1avgcc.exe
Crogram FilesDellSupportAlertbinNotifyAlert.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSSystem32gearsec.exe
C:WINDOWSsystem32driversKodakCCS.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
C:WINDOWSSystem32MsPMSPSv.exe
Crogram FilesiPodbiniPodService.exe
C:WINDOWSSystem32svchost.exe
Crogram FileshijackthisHijackThis.exe
C:WINDOWSsystem32wuauclt.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyServer = http://portal.uky.edu/proxy.pac:80
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = http://adobeols.ofoto.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O4 - HKLM..Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..Run: [ATIPTA] Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [AdaptecDirectCD] "Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe"
O4 - HKLM..Run: [DwlClient] Crogram FilesCommon FilesDellEUSWSupport.exe
O4 - HKLM..Run: [mmtask] Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [iTunesHelper] Crogram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavaj2re1.4.2_04binjusched.exe
O4 - HKLM..Run: [ISUSPM Startup] CROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [AVG7_CC] CROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = Crogram FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: &Copy Location - C:WINDOWSWEBgraburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:WINDOWSsystem32oline.dll
O15 - Trusted Zone: *.bankone.com
O15 - Trusted Zone: *.uky.edu
O15 - Trusted Zone: *.weather.com
O15 - Trusted Zone: *.windowsupdate.com
O23 - Service: Adobe Active File Monitor - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:WINDOWSSYSTEM32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:WINDOWSSystem32gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - Crogram FilesiPodbiniPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - Crogram FilesIntelNCSSyncNetSvc.exe
O23 - Service: Photoshop Elements Device Connect - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
I believe I know what everything there is so it looks OK. I go look in the folders that I have previously found the offending files and dont find them. Everything all cleaned up, or so I think for a few days or few hours. But then it's repeat the whole thing all over.
A bit about my current settings; Windows update current, AVG current, and the previously mentioned tools current. Sometime after the first virus I turned System Restore off, disabled Java casheing, and went into internet options-security and set all Active x settings to disable or prompt and did the same for scripting, java is set to high safety.
Someone please help,I cant kill this thing. :frowning:
OK where to start... Over the last month or so I have had reoccurring problems, every time I think I have it all cleaned up it comes back after a day or so. It starts with either a browser homepage hijack to "QuickMetaSearch.com", the instalation of a "Zero Catagory" (0CAT) tool bar on Internet Explorer, or an AVG warning that a virus was found.
Most commonly the virus is " Prvdi1.exe " which AVG lists as "Trojan Horse Dropper.small.9.BV". Sometimes it is "dload.exe" "Downloader.small.bu" It is usualy first reported in C:docs&settingsuserlocalsettingstemp.
AVG deletes it fine. When I go to the folder I also find StHP.exe, & 0cyp.exe So I delete those as well. I then go looking around and find a "STHomePage" folder and a "0CatYellowPages" folder in; C;ProgramFiles. I delete those folders. I go looking in C:WindowsSystem32 and sometimes find dload.exe or prvdi.exe there and delete those as well.
I look in add remove programs and remove "0Cat Yellow Pages 1.0" and it says it was successfully removed, and then a browser window opens going to 0cat.com I quickly close it, but when I went back to cdocsandsettuserlocalsettemp there was a new file "A~NSISU_.exe... deleted that. Back in cprograms the ST Homepage folder was back as well...deleted that.
OK so back in AddRemove programs I didn't recognize a program called LinksHelper 1.0 and tried to remove it. An error said it could not be found possibly already removed.
Next I run HijackThis and have it fix everything I know should not be there. Here is the log with *** in front of the the things I fixed.
Logfile of HijackThis v1.99.0
Scan saved at 6:25:20 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSSystem32gearsec.exe
C:WINDOWSsystem32driversKodakCCS.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
C:WINDOWSSystem32MsPMSPSv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32svchost.exe
C:WINDOWSBCMSMMSG.exe
Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32DSentry.exe
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
Crogram FilesiTunesiTunesHelper.exe
Crogram FilesJavaj2re1.4.2_04binjusched.exe
Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe
CROGRA~1GrisoftAVGFRE~1avgcc.exe
Crogram FilesiPodbiniPodService.exe
C:WINDOWSsystem32cidaemon.exe
C:WINDOWSsystem32cidaemon.exe
Crogram FileshijackthisHijackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
***R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://quickmetasearch.com/?said=acc0002_ho
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyServer = http://portal.uky.edu/proxy.pac:80
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = http://adobeols.ofoto.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
***O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - Crogram FilesSTHomePageSTHomePage2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - CROGRA~1SPYBOT~1SDHelper.dll
***O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - Crogram FilesCAT YellowPagesSTIEbar2.dll
***O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - Crogram FilesCAT YellowPagesSTIEbar2.dll
O4 - HKLM..Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..Run: [ATIPTA] Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [AdaptecDirectCD] "Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe"
O4 - HKLM..Run: [DwlClient] Crogram FilesCommon FilesDellEUSWSupport.exe
O4 - HKLM..Run: [mmtask] Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [iTunesHelper] Crogram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavaj2re1.4.2_04binjusched.exe
O4 - HKLM..Run: [ISUSPM Startup] CROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [AVG7_CC] CROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = Crogram FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: &Copy Location - C:WINDOWSWEBgraburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
***O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - Crogram FilesCAT YellowPagesSTIEbar2.dll
***O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - Crogram FilesCAT YellowPagesSTIEbar2.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:WINDOWSsystem32oline.dll
O15 - Trusted Zone: *.bankone.com
O15 - Trusted Zone: *.uky.edu
O15 - Trusted Zone: *.weather.com
O15 - Trusted Zone: *.windowsupdate.com
O23 - Service: Adobe Active File Monitor - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:WINDOWSSYSTEM32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:WINDOWSSystem32gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - Crogram FilesiPodbiniPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - Crogram FilesIntelNCSSyncNetSvc.exe
O23 - Service: Photoshop Elements Device Connect - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
I then ran SPYBOT, found and fixed "7Fasst" (Browser Hijacker).
AdAware- nothing, CW Shredder- nothing, and an AVG full scan- nothing. So restart system and check my browser- OK no toolbar and MSN homepage. Run Hijack this and get a result I think is clean:
Logfile of HijackThis v1.99.0
Scan saved at 7:54:00 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSBCMSMMSG.exe
Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32DSentry.exe
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe
Crogram FilesCommon FilesDellEUSWSupport.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
Crogram FilesiTunesiTunesHelper.exe
Crogram FilesJavaj2re1.4.2_04binjusched.exe
Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe
CROGRA~1GrisoftAVGFRE~1avgcc.exe
Crogram FilesDellSupportAlertbinNotifyAlert.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSSystem32gearsec.exe
C:WINDOWSsystem32driversKodakCCS.exe
Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
C:WINDOWSSystem32MsPMSPSv.exe
Crogram FilesiPodbiniPodService.exe
C:WINDOWSSystem32svchost.exe
Crogram FileshijackthisHijackThis.exe
C:WINDOWSsystem32wuauclt.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dellnet.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyServer = http://portal.uky.edu/proxy.pac:80
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = http://adobeols.ofoto.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O4 - HKLM..Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..Run: [ATIPTA] Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [AdaptecDirectCD] "Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe"
O4 - HKLM..Run: [DwlClient] Crogram FilesCommon FilesDellEUSWSupport.exe
O4 - HKLM..Run: [mmtask] Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [iTunesHelper] Crogram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavaj2re1.4.2_04binjusched.exe
O4 - HKLM..Run: [ISUSPM Startup] CROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [AVG7_CC] CROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = Crogram FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: &Copy Location - C:WINDOWSWEBgraburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:WINDOWSsystem32webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:WINDOWSsystem32oline.dll
O15 - Trusted Zone: *.bankone.com
O15 - Trusted Zone: *.uky.edu
O15 - Trusted Zone: *.weather.com
O15 - Trusted Zone: *.windowsupdate.com
O23 - Service: Adobe Active File Monitor - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:WINDOWSSYSTEM32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:WINDOWSSystem32gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - Crogram FilesiPodbiniPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - Crogram FilesIntelNCSSyncNetSvc.exe
O23 - Service: Photoshop Elements Device Connect - Unknown - Crogram FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
I believe I know what everything there is so it looks OK. I go look in the folders that I have previously found the offending files and dont find them. Everything all cleaned up, or so I think for a few days or few hours. But then it's repeat the whole thing all over.
A bit about my current settings; Windows update current, AVG current, and the previously mentioned tools current. Sometime after the first virus I turned System Restore off, disabled Java casheing, and went into internet options-security and set all Active x settings to disable or prompt and did the same for scripting, java is set to high safety.
Someone please help,I cant kill this thing. :frowning: