• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

HJT log for review

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#1
How's this look? I'm guessing the BHO (no name) items need to be removed. Anything else?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:31 PM, on 4/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcntqkdn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SYSTEM32\tcntqkdn.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Wayne\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = EarthLink - Welcome to myEarthLink
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Redirect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Upgrade Browser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Redirect
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Upgrade Browser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11429AC0-2422-7DF8-5360-5D00BDC08ACA} - C:\WINDOWS\System32\vifjxkf.dll (file missing)
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\System32\atgban.dll (file missing)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\System32\tcntqkdn.exe DWram
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] wuamgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Features] ms32cfg.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Machine] wuamgrd.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\tcntqkdn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://www.verizon.net/WhatsNext/CheckMyPc/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: Web Event Logger - {7ABBACFE-EEC2-9152-A9EE-416592C5C738} - C:\WINDOWS\System32\Jbkkejal.dll (file missing)

--
End of file - 7193 bytes
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#2
Not sure where this came from but it's still infected with stuff that our main routine for removal should clear up.

I would run the ATF, SAS, Malwarebytes, EST clean up and scans again and then run the Hijackthis scan again and post the log.

ms32cfg.exe is a Trojan as well as some other dll files it's trying to load.

If they're still there after running the routine we've setup then we need to let SAS and MB know about it.
 

Seth

FPCH Long Term Member
Joined
Dec 17, 2007
Messages
2,268
Location
Canada
Operating System
Windows Vista - Home Premium
#3
Also uninstall and reinstall Java, as there is a problem with it.

You may want to upgrade to IE7 as well.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#4
"I would run the ATF, SAS, Malwarebytes, EST clean up and scans again and then run the Hijackthis scan again and post the log."

Thanks for the look-see. This log is after I ran all the above, with the exception of ATF - I deleted the temp files manually. I deleted the temps, did an ewido scan in Safe Mode w/Networking, SAS, Malwarebytes, ESET and then SAS again and Malwarebytes again.

I also ran the log with all msconfig Startup items disabled and all non-MS Services disabled. I haven't checked into it, but I wonder if the HJT log will be different if those items are enabled?

I will be on the road most of the day. Will look into it late today or tomorrow.

Thanks again.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#6
Neighbor 3 doors up the street. He was on dial up and recently switched to Broadband. It has XP-Home, SP-1 and he let his Norton subscription laspe. It was horrible when I received it. It was a pain to even bring up the Task Manager. Gotta run ...
 

Seth

FPCH Long Term Member
Joined
Dec 17, 2007
Messages
2,268
Location
Canada
Operating System
Windows Vista - Home Premium
#8
The only peice of malware that seems to be left is the Rbot worm. Both SAS and MB should be removing it.

Did you disable SR before the scans?
Did you fully update each and run complete scans?
Did you do a restart into normal mode after each scan?

BTW- I couldn't find any info on tcntqkdn.exe.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#9
I believe I restarted the computer before each scan. I'll do it again and see what happens.

Do you know if the HJT log will be different when using Selective Startup to disable all the msconfig Startup items and non-MS Services?
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#10
I've not said anything but I really don't like leaving MSCONFIG running. Once the clean up is done I think NORMAL should be restored.

I would restore it back to normal myself since most has been cleaned up.
Then scan again and see where it's at and post HJT again please.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#11
I've been running SAS and MB scans. MB is saying this is OK. SAS keeps finding C:\Windows\System32\ZXDNT3D.CFG. Every time it finds this file, it says that I need to restart to complete the job. So I restart, run the scan and get this files comes up again and again it says I need to restart to complete the job.

I don't see this in msconfig Startup. I do see the file in C:\Windows\System32. Shall I just delete the file?
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#12
Hi Kelly,

Normally what I do if I'm not 100% certain if a file is good or not is MOVE it to a new folder that I create from DOS.

The reason I create it in DOS is that most Windows programs and registry redirects don't pay attention to DOS commands.

CD \
MD UNSURE
MOVE C:\Windows\System32\ZXDNT3D.CFG C:\UNSURE

Then do
CD WINDOWS\SYSTEM32
DIR *.CFG
ATTRIB *.CFG

and see what you get. If MB is having trouble moving it then my guess is that there is some other program holding it open or recreating it.

My guess is there is a process holding it open.

Are you 100% certain you've used the latest 1.10 version of MB ?
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#14
I'm running MB v1.10. I ran MB which found 3 entries and then power down, power up and run MB again which finds the same entires. I've done this 3 times. It says it has removed the items, but it hasn't. Here's the log.

Malwarebytes' Anti-Malware 1.10
Database version: 587

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 93219
Time elapsed: 19 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wayne\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#15
SAS only sees 4 Earthlink cookies. Then I shutdown and restart and ran another SAS scan and now it sees only the zxdnt3d.cfg file. It said I needed to reboot to complete and I did. On reboot, I don't see it anymore. Looks like this time SAS worked. Ran another SAS scan.

zxdnt3d is back and there’s also an Earthlink tracking cookie.

So it was gone and now it's back. Could this be a rootkit?
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#16
The machine is getting Deewoo popups. I had it turned off in msconfig, but it's now enabled again. Messenger and ctfmon have also been enabled in msconfig - I didn't do it.

I'm going to remove the Deewoo files in Win\Sys32 - maybe that will help as SAS and MB aren't working.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#17
I used HJT to remove Deewoo - there was another instance of it in Prefetch - something to watch out for.

Anyway, SAS and MB are now not finding anything. Here's the log - is it ready? I want to enable msconfig Startup items and non-MS Services.

Logfile of Trend Micro HijackThis v2.0.2
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Wayne\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = EarthLink - Welcome to myEarthLink
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Redirect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Upgrade Browser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Redirect
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Verizon Central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Upgrade Browser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\System32\atgban.dll (file missing)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] wuamgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Machine] wuamgrd.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://www.verizon.net/WhatsNext/CheckMyPc/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: Web Event Logger - {7ABBACFE-EEC2-9152-A9EE-416592C5C738} - C:\WINDOWS\System32\Jbkkejal.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#18
Hi Kelly,

I would remove all those BHO from within Internet Explorer in the options area under View Objects.

I would go get the AutoRuns program and use it to DELETE some entries as well from the registry.

AutoRuns for Windows v9.13

I think you know what you're doing, but if not or you have questions let me know don't just blindly whack stuff with this tool.

I would also turn off the Indexing service - take a look here:
Windows XP may run slowly and you may see multiple symptoms in Windows Task Manager

Unless you really HAVE to have them I would remove ALL the Toolbar Helpers (at least for now)

You also show that you have WUAMGRD.EXE which is a worm - MB and SAS should have removed it - maybe something hiding it.
WUAMGRD.EXE Application/Process Description

Myself I would probably also remove all the 016 entries and if I need any of them go back at that time when needed and get new updates from their respective sites.

Remove this entry: O21 - SSODL: Web Event Logger

Since you're there working on the PC and you know what you're doing I would also disable System Restore and run CHKDSK /F as part of the reboot.

Then reboot the machine and run another MB/SAS scan.
You should also run the ENOD or similar online Virus scan

Hopefully you've gone into the ADD/REMOVE and looked for anything suspicious and removed it. I would remove SPYBOT or AdAware if they're installed. Remove ALL Java for now - if needed go back later on to get a NEW version.

.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#19
The more I read in this forum, the more I realize my lack of knowledge.

Questions:

1) Removing the BHO's within IE - I don't see them in any IE menu. I thought they would be under Programs/Manage Add On, but that feature is not in this version of IE.
- Can I use HJT to remove them?

2) WUAMGRD - It doesn't show up in AutoRuns. I did see 4 entries in the Registry.
- Can I just use HJT to remove it?

3) 016 entries - what are they? I read that they are just 'statements' that you've downloaded the file. What is the purpose of creating the entry in the first place? Especially if it's OK to delete all of the entries?

Thank you - Tony
 

Seth

FPCH Long Term Member
Joined
Dec 17, 2007
Messages
2,268
Location
Canada
Operating System
Windows Vista - Home Premium
#20
1- Yes

2- Yes, but after the restart, check HT again.

3- They are ActiveX controls. As in Ewido needs to install an ActiveX control for the online scan. I'd go ahead and remove them in your case.