29 replies to this topic

[noviceuser]

I am very sorry Siggyx. You had asked me to do this earlier too and I had done it. By mistake I used the older version.

Here it is.....Thanks

Logfile of HijackThis v1.98.0
Scan saved at 11:07:45 AM, on 8/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\AEQLATOB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\TEMP\HPFSPHOOK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OPERA7\OPERA.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\SYSTEM\lockctrl.exe C:\WINDOWS\SYSTEM\wgp.exe
O4 - HKLM\..\Run: [HIDEFILESANDFOLDERSA.EXE] C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\AEQLATOB.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

[Siggyx]

Download About:buster from http://downloads.sub...AboutBuster.zip and unzip it to your desktop. Extract file and then check for updates. After updating close file

Boot up in safe mode.(tap f8 while bios loads)

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds. Save the report it creates (copy and paste it into notepad or wordpad and save as a .txt file). Run the scanner twice.

Reboot your computer in normal mode.

Then do an online scan here >>> http://housecall.trendmicro.com/

Then post a new log please.

[noviceuser]

Hi....here is the About Blaster report: -- Scan 1 -------- About:Buster Version 2.0 Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 -------- About:Buster Version 2.0 Attempted Clean Of Temp folder. Pages Reset... Done! And the Hijack log: Logfile of HijackThis v1.98.0 Scan saved at 1:55:34 PM, on 8/4/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\AEQLATOB.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\S3TRAYHP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE C:\WINDOWS\SYSTEM\PRPCUI.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE C:\WINDOWS\SYSTEM\CTFMON.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\PROGRAM FILES\OPERA7\OPERA.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\SYSTEM\lockctrl.exe C:\WINDOWS\SYSTEM\wgp.exe O4 - HKLM\..\Run: [HIDEFILESANDFOLDERSA.EXE] C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE" O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE" O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\AEQLATOB.exe O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

[Siggyx]

I would like you to go here >>> http://www.kaspersky.com/scanforvirus

and follow the directions to scan each of the files below. You will get a report on each file. Please let me know what they say.

C:\WINDOWS\SYSTEM\AEQLATOB.EXE
C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe

[noviceuser]

Hi Siggyx I scanned these files....but I can't find the last file you noted. I am sure it is because of my lack of technical knowledge. Will I find it in the registry file. AEQLATOB.exe - infected by TrojanDownloader.Win32.Agent.bh HideFilesAndFoldersA.exe - OK Thanks Siggyx

[Siggyx]

I would like you to download and run Trojan Hunter. It is free for 30 days. Let it fix what it finds.

Download Trojan Hunter(trial version).
Next go Hereand download the latest update zip file.
Install Trojan Hunter and make a note of the full path to the folder where it is installed, by default this is
X:\program files\TrojanHunter 3.8 (X is the drive Trojan Hunter is installed on, usually C).
After installation unzip the update file you downloaded to the installation folder you took note of.
Say "Yes to All" when you are asked about replacing files.
You have to completely shut down Trojan Hunter for the new files to be used.
Double click the desktop icon to restart Trojan Hunter, click to continue evaluation.
Click the "Full Scan" button on the upper left.

[noviceuser]

Hi Siggyx I am sorry I have not been able to download the program you suggested. It is 5.4 MB and my computer keeps freezing some where in the middle. I am continuing to try though. In teh meantime all hell has broken loose on my machine....the latest thing is that porn windows start popping up all ny themselves and I can't even shut them down........ ......... I am getting so frustrated........ I will get back to you as soon as I dowload the program..... Many thanks for your continued help.

[missmell75]

i know i'm not in class but, may i suggest, now that you can browse the internet and download stuff etc....go back to housecall and run a virus scan. i have been using that myself and it's done a pretty good job helping me keep my computer trogan free. i had loads of pop up with the trogans i had before and other countless carp** as well. before doing anything else, IF you can go there without being redirected again, run the scan at housecall and let it fix anything it finds, IF it says it's non fixable or what have you, click delete. i'd recomend writing down the virus's and trogans found, and if it can't delete it, or fix it, post in here where it is and someone can tell you how to manually remove it in safe mode. had to do that with a one that couldn't get rid of with housecall. Mell

[Siggyx]

Post a new Hijackthis log. I am going out of town for a week but I will ask an expert to pick up for me in my absence.

[noviceuser]

Thank you Siggyx and missmell75.......here is the hijack log....the porn windows load up each time I switch on windows Here is the log: Logfile of HijackThis v1.98.0 Scan saved at 9:48:01 AM, on 8/12/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\AEQLATOB.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\S3TRAYHP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE C:\WINDOWS\SYSTEM\PRPCUI.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE C:\WINDOWS\SYSTEM\CTFMON.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\OPERA7\OPERA.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\SYSTEM\lockctrl.exe C:\WINDOWS\SYSTEM\wgp.exe O4 - HKLM\..\Run: [HIDEFILESANDFOLDERSA.EXE] C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE" O4 - HKLM\..\Run: [Cache] C:\QCACHE.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\AEQLATOB.exe O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

[ChrisRLG]

Hi

I am taking over this fix, while siggyx is away.

I notice that you are using an out of date hijackthis - could you download this later version and delete the current one.
http://www.downloads.../hijackthis.zip

Also notice a O21 line in the previous log and it is not in that latter one, could please ensure that the whole log is copied.

Please post back with that updated log.

[noviceuser]

Hi Chris.....thank you for helping me. Here is the log: Logfile of HijackThis v1.98.2 Scan saved at 10:41:36 AM, on 8/13/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\AEQLATOB.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\S3TRAYHP.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE C:\WINDOWS\SYSTEM\PRPCUI.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE C:\WINDOWS\SYSTEM\CTFMON.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\PROGRAM FILES\OPERA7\OPERA.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\SYSTEM\lockctrl.exe C:\WINDOWS\SYSTEM\wgp.exe O4 - HKLM\..\Run: [HIDEFILESANDFOLDERSA.EXE] C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE" O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\AEQLATOB.exe O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

[ChrisRLG]

Well TrojanHunter is well out of date - you have version 2.4 it is at 3.9 now.

If you have the paid version do get the update. If not you might as well uninstall it. It is too old to be much use. You might be able to get the later version on 30 day trial, if not and you like it (enough to pay) at the top of this forum is a special offer on it.
=================================

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find this processes and 'end task' it.
OR
Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.

AEQLATOB.exe

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\AEQLATOB.exe

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.n...1916458,00.html
Or items 8 & 9 from this link :
http://www.russellte...qhijackthis.htm )

File > > C:\WINDOWS\SYSTEM\AEQLATOB.exe

Then Reboot and post a fresh log for me to check.

please tell me how the system is now, do you have any problems still.

[noviceuser]

Hi Chris Thank you so very much.....explorer seems to be working fine once again. Here is the fresh log: Logfile of HijackThis v1.98.2 Scan saved at 6:04:25 PM, on 8/16/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\S3TRAYHP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE C:\WINDOWS\SYSTEM\PRPCUI.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE C:\WINDOWS\SYSTEM\CTFMON.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\OPERA7\OPERA.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\SYSTEM\lockctrl.exe C:\WINDOWS\SYSTEM\wgp.exe O4 - HKLM\..\Run: [HIDEFILESANDFOLDERSA.EXE] C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HIDEFILESANDFOLDERSA.EXE O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE" O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL Thanks a million Chris.

[ChrisRLG]

This is my normal post for when you are clear - which you now seem to be - please advise of any problems :-
------------------------
How on earth did I get infected with all that spyware in the first place?
http://www.net-integ...=ST;f=38;t=3051
Also available from here :- http://www.computerc...tlite7736-.html
or http://boards.cexx.o...topic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.