PDA

View Full Version : I don't know what to do!!



xoLacieox
23-03-2007, 09:14 PM
My computer won't let me open any programs by just clicking the icons or doing the "Run as..." thing. I can't open anything to scan them because it either says Windows can't find it or I get an NSIS Error. I don't know what else to do. Can someone help me? I don't want to have to erase everything.

stu161204
23-03-2007, 10:03 PM
Welcome to PressF1 xoLacieox :)

You will need to give us some more information, before we can help you more.

What version of Windows are you using? Windows XP, Vista etc..?

When did this start to happen?

Have you installed any new programs? Or done any changes to the system?

Hope to her from you soon

xoLacieox
24-03-2007, 09:31 AM
It started happening yesterday. I have Windows XP. I haven't installed anything recently. Here's my log file.

---------


Logfile of HijackThis v1.99.1
Scan saved at 3:23:08 PM, on 3/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\spenca\Desktop\WGAPluginInstall.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\spenca\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A33B181A-FED8-D75D-D7DB-A328E17566ED} - C:\WINDOWS\System32\ecfiwuo.dll (file missing)
R3 - URLSearchHook: (no name) - {A7384E1F-FFDC-890B-DEDB-A328E17564B8} - C:\WINDOWS\System32\eersb.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe ,
O2 - BHO: (no name) - {55295C28-084E-697C-FEBF-0453A8030F40} - C:\WINDOWS\System32\tlgieg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8AA40010-216F-4F3F-B0DD-5CED785DBA56} - (no file)
O2 - BHO: (no name) - {A33B181A-FED8-D75D-D7DB-A328E17566ED} - C:\WINDOWS\System32\ecfiwuo.dll (file missing)
O2 - BHO: (no name) - {A7384E1F-FFDC-890B-DEDB-A328E17564B8} - C:\WINDOWS\System32\eersb.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\xmjfcfmd.dll (file missing)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [xbifvgm.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xbifvgm.dll,hyntkd
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142893477\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Sparta Messenger] C:\Program Files\Sparta Messenger\messenger.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [phone warn blue cdrom] C:\Documents and Settings\All Users.WINDOWS\Application Data\ante bias phone warn\RectHtm.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [7c1bf5af.exe] C:\Documents and Settings\spenca\Local Settings\Application Data\7c1bf5af.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Cnpt] "C:\PROGRA~1\CROSOF~1.NET\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Wsy] C:\WINDOWS\system32\F?nts\d?xplore.exe
O4 - HKCU\..\Run: [Vc List] C:\DOCUME~1\spenca\APPLIC~1\LIVESI~1\scr stupid.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {1030360D-96BC-0153-3367-019843FACFE8} - [edit: URL removed]
O16 - DPF: {13DD0220-6868-7BF5-4C4E-0E14485A3FC7} - [edit: URL removed]
O16 - DPF: {22155947-231E-2D93-843F-69D32FE08B17} - [edit: URL removed]
O16 - DPF: {28C83A3E-7B3A-61A0-39DC-552F75FA3669} - [edit: URL removed]
O16 - DPF: {2F7326C4-C934-4970-B905-6412358FB1B8} - [edit: URL removed]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {32FBD2F2-6775-66E9-EDB1-17D9608799A7} - [edit: URL removed]
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunee.mht![edit: URL removed]
O16 - DPF: {43252D4B-6507-6AB6-B806-19097B65F37E} - [edit: URL removed]
O16 - DPF: {5292D217-2A56-6A12-5095-48B54C615058} - [edit: URL removed]
O16 - DPF: {52FB0A32-3CEB-4265-A61B-7264378D2C5B} - [edit: URL removed]
O16 - DPF: {5B3BE806-B2AA-6160-8D36-20916B23281A} - [edit: URL removed]
O16 - DPF: {621BA16D-D68A-3472-3700-337930145A9E} - [edit: URL removed]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165712890421
O16 - DPF: {693D633D-0E6E-172F-B258-6194290D3B15} - [edit: URL removed]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165732903598
O16 - DPF: {77F1FB16-89D7-605D-21E2-2C7D0BB90F5E} - [edit: URL removed]
O16 - DPF: {7A9A3750-BBFA-5978-C755-7715098E69A0} - [edit: URL removed]
O16 - DPF: {7B3061BC-14E0-3079-00CA-6DB417C1F00D} - [edit: URL removed]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\spenca\LOCALS~1\Temp\win fix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxxu - C:\WINDOWS\
O20 - Winlogon Notify: msldr32 - msldr32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Speedy Gonzales
24-03-2007, 10:13 AM
Your system is covered in malware.

Unzip hjt put it in its own folder before u run it again. Then click on these entries then tick fix checked. Close browser/s

R3 - URLSearchHook: (no name) - {A33B181A-FED8-D75D-D7DB-A328E17566ED} - C:\WINDOWS\System32\ecfiwuo.dll (file missing)

R3 - URLSearchHook: (no name) - {A7384E1F-FFDC-890B-DEDB-A328E17564B8} - C:\WINDOWS\System32\eersb.dll (file missing)

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe ,

O2 - BHO: (no name) - {8AA40010-216F-4F3F-B0DD-5CED785DBA56} - (no file)

O2 - BHO: (no name) - {A33B181A-FED8-D75D-D7DB-A328E17566ED} - C:\WINDOWS\System32\ecfiwuo.dll (file missing)

O2 - BHO: (no name) - {A7384E1F-FFDC-890B-DEDB-A328E17564B8} - C:\WINDOWS\System32\eersb.dll (file missing)

O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\xmjfcfmd.dll (file missing)

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)

O4 - HKLM\..\Run: [xbifvgm.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xbifvgm.dll,hyntkd

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142893477\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" - uninstall this it installs adware/spyware

O4 - HKLM\..\Run: [Sparta Messenger] C:\Program Files\Sparta Messenger\messenger.exe

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe

O4 - HKCU\..\Run: [7c1bf5af.exe] C:\Documents and Settings\spenca\Local Settings\Application Data\7c1bf5af.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [Wsy] C:\WINDOWS\system32\F?nts\d?xplore.exe'


O4 - HKCU\..\Run: [Vc List] C:\DOCUME~1\spenca\APPLIC~1\LIVESI~1\scr stupid.exe

O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe

O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {1030360D-96BC-0153-3367-019843FACFE8} -
O16 - DPF: {13DD0220-6868-7BF5-4C4E-0E14485A3FC7} -
O16 - DPF: {22155947-231E-2D93-843F-69D32FE08B17} -
O16 - DPF: {28C83A3E-7B3A-61A0-39DC-552F75FA3669} -
O16 - DPF: {2F7326C4-C934-4970-B905-6412358FB1B8} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {32FBD2F2-6775-66E9-EDB1-17D9608799A7} -
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunee.mht!
O16 - DPF: {43252D4B-6507-6AB6-B806-19097B65F37E} -
O16 - DPF: {5292D217-2A56-6A12-5095-48B54C615058} -
O16 - DPF: {52FB0A32-3CEB-4265-A61B-7264378D2C5B} -
O16 - DPF: {5B3BE806-B2AA-6160-8D36-20916B23281A} -
O16 - DPF: {621BA16D-D68A-3472-3700-337930145A9E} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1165712890421
O16 - DPF: {693D633D-0E6E-172F-B258-6194290D3B15} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165732903598
O16 - DPF: {77F1FB16-89D7-605D-21E2-2C7D0BB90F5E} -
O16 - DPF: {7A9A3750-BBFA-5978-C755-7715098E69A0} -
O16 - DPF: {7B3061BC-14E0-3079-00CA-6DB417C1F00D} -

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\spenca\LOCALS~1\Temp\win fix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxxu - C:\WINDOWS\
O20 - Winlogon Notify: msldr32 - msldr32.dll (file missing)

Install a firewall, install SP1 or 2, preferably 2 ONCE u get rid of the malware.

Uninstall ALL versions of Sun Java as well. The update is in my sig below.

Get trojan remover in my sig below. Install it run it update it then click on scan, then select the 3rd to 7th option under the utilities menu.

Post another log once u tick the entries above and tick fix checked.

Speedy Gonzales
24-03-2007, 11:09 AM
For anyone else visting this post, DON'T click on the exe file links.

They maybe nasty. I've sent a PM to the mods to remove the exe file links just in case.

xoLacieox
24-03-2007, 11:39 AM
Logfile of HijackThis v1.99.1
Scan saved at 5:39:59 PM, on 3/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\spenca\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: (no name) - {55295C28-084E-697C-FEBF-0453A8030F40} - C:\WINDOWS\System32\tlgieg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [phone warn blue cdrom] C:\Documents and Settings\All Users.WINDOWS\Application Data\ante bias phone warn\RectHtm.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Cnpt] "C:\PROGRA~1\CROSOF~1.NET\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

radium
24-03-2007, 12:03 PM
You still have 2 more entries to move

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\System32\ntos.exe,

O2 - BHO: (no name) - {55295C28-084E-697C-FEBF-0453A8030F40} - C:\WINDOWS\System32\tlgieg.dll (file missing)

Have you run Trojan Remover like Speedy said?

xoLacieox
24-03-2007, 12:12 PM
Oh. Oops. I'll do that if I can open it.

xoLacieox
24-03-2007, 12:22 PM
Ok. Did I get everything this time?
------

Logfile of HijackThis v1.99.1
Scan saved at 6:22:14 PM, on 3/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\spenca\Desktop\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\CustomXML\CustomXML.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: CustomXML Toolbar Helper - {133688B3-7842-4D9D-BF7C-940E1097F900} - C:\WINDOWS\system32\CustomXMLbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CustomXML - {2C986504-AE32-493F-9D44-E1C5D17A3091} - C:\WINDOWS\system32\CustomXMLBand.dll
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [CustomXML] C:\Program Files\CustomXML\CustomXML.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Cnpt] "C:\PROGRA~1\CROSOF~1.NET\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Speedy Gonzales
24-03-2007, 12:23 PM
Unzip the zipped HJT file u downloaded, and put the main HJT file in its own folder, before running it again.

Then tick these entries and tick fix checked. Close browser/s again.

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\System32\ntos.exe,

O2 - BHO: (no name) - {55295C28-084E-697C-FEBF-0453A8030F40} - C:\WINDOWS\System32\tlgieg.dll (file missing)

O4 - HKLM\..\Run: [phone warn blue cdrom] C:\Documents and Settings\All Users.WINDOWS\Application Data\ante bias phone warn\RectHtm.exe

O4 - HKCU\..\Run: [Cnpt] "C:\PROGRA~1\CROSOF~1.NET\csrss.exe" -vt yazb

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe

Then post another log. If the above entries wont disappear you may have to disable system restore first then delete them again, then turn system restore back on.

Did trojan remover pick anything nasty up?? And did u update it before u did a scan?

xoLacieox
24-03-2007, 12:53 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:46:12 PM, on 3/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\CustomXML\CustomXML.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\spenca\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: CustomXML Toolbar Helper - {133688B3-7842-4D9D-BF7C-940E1097F900} - C:\WINDOWS\system32\CustomXMLbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CustomXML - {2C986504-AE32-493F-9D44-E1C5D17A3091} - C:\WINDOWS\system32\CustomXMLBand.dll
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [CustomXML] C:\Program Files\CustomXML\CustomXML.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
----------

I don't know how to disable it. If I have to use my control panel, I can't do it because my computer won't let me open anything there either. It says I don't have Rundll32.dll even though I do have it. And I didn't update it. And this is what it picked up:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\"ishost.exe"
HKLM\SYSTEM\CurrentControlSet\Services\iPodService

Speedy Gonzales
24-03-2007, 01:04 PM
If trojan remover still picks this up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\"ishost.exe" get it to remove it from the registry.

Then boot into safe mode (hold F8 after u reboot). Search for ishost.exe and delete it.

Then reboot.

Then see if u can get into the control panel.

xoLacieox
24-03-2007, 02:03 PM
All my programs are working correctly now! Thank you SO much!

Speedy Gonzales
24-03-2007, 02:10 PM
Cool, good to hear everything is back to normal! :thumbs:

That ishost I think belongs to a worm. And would have been one of the main probs.

I would install a firewall too.

Use something like Comodo (http://www.personalfirewall.comodo.com/)

And install SP1 or 2 and the XP updates.

xoLacieox
24-03-2007, 02:25 PM
It probably was. I'll have to remember that for future reference but hopefully I won't need to.