Please help...unable to remove JS:TrojDnldr-1 [Trj]. HIjackthis log included...

system · October 7, 2004, 1:28am

hello:

I’ve been unable to remove JS:TrojDnldr-1 [Trj] despite repeated attempts. Everytime I start the computer many IE windows would automatically open. Avast would give virus warning of JS:TrojDnldr-1 [Trj], but is unable to repair or move to chest because it ‘can not access the file’. Deleting it does not help, because the virus comes back when I restart the computer. I disabled system restore, scanned with Spybot and Adaware, to no avail. The following is the hijackthis log…I really hope one of you experts out there can help me out with this…thank you!!

system · October 7, 2004, 1:28am

Logfile of HijackThis v1.98.2
Scan saved at 9:22:40 PM, on 10/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sysentry.exe
C:\WINDOWS\System32\svh0st.exe
C:\WINDOWS\System32\zpwxv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\crsss.exe
C:\WINDOWS\System32\wmplayer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\scvhost.exe
C:\WINDOWS\System32\dllmanger.exe
C:\Documents and Settings\Jeff\Application Data\rrsa.exe
C:\WINDOWS\System32?ttrib.exe
C:\Program Files\Skype\Phone\Skype.exe
c:\media.exe
C:\car.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Documents and Settings\Jeff\Desktop\hijackthis.exe

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://www.google.ca/”); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\qagvdv86.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\qagvdv86.slt\prefs.js)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 52.dll
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [IPInSightLAN 01] “C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe” -l
O4 - HKLM..\Run: [IPInSightMonitor 01] “C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM..\Run: [Samsung LBP SM] “C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe” /autorun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [System Uptime Server] sysentry.exe
O4 - HKLM..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM..\Run: [starter] scvhosting.exe
O4 - HKLM..\Run: [Microsoft Help] svh0st.exe
O4 - HKLM..\Run: [Win service] zpwxv.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM..\Run: [Windows media service] crsss.exe
O4 - HKLM..\Run: [Media Player] wmplayer.exe
O4 - HKLM..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM..\Run: [Microsoft Connection Manager] dllmanger.exe
O4 - HKLM..\RunServices: [System Uptime Server] sysentry.exe
O4 - HKLM..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM..\RunServices: [starter] scvhosting.exe
O4 - HKLM..\RunServices: [Microsoft Help] svh0st.exe
O4 - HKLM..\RunServices: [Win service] zpwxv.exe
O4 - HKLM..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM..\RunServices: [Windows media service] crsss.exe
O4 - HKLM..\RunServices: [Media Player] wmplayer.exe
O4 - HKLM..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKLM..\RunServices: [Microsoft Connection Manager] dllmanger.exe
O4 - HKLM..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Mozilla Quick Launch] “C:\Program Files\Netscape\Netscape\Netscp.exe” -turbo
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [AutoUpdate] C:\WINDOWS\scvhost.exe
O4 - HKCU..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU..\Run: [starter] scvhosting.exe
O4 - HKCU..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU..\Run: [Microsoft Connection Manager] dllmanger.exe
O4 - HKCU..\Run: [Pcam] C:\Documents and Settings\Jeff\Application Data\rrsa.exe
O4 - HKCU..\Run: [Nrbga] C:\WINDOWS\System32?ttrib.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\RunOnce: [Windows Messenger] msmsgs.exe
O8 - Extra context menu item: &Download the file(s) in D.S.Code - C:\Documents and Settings\Jeff\Desktop\DSLite2\dl_text.html
O8 - Extra context menu item: &Download the file(s) in D.S.Code-File - C:\Documents and Settings\Jeff\Desktop\DSLite2\dl_url.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Jeff\Desktop\DSLite2\DSLite.exe
O9 - Extra ‘Tools’ menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Jeff\Desktop\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=154b113bf9603f46c731d769ed14a3bf2ae0a757064ee9bd5449e0fdd44e86d07944db10fe19f321ee033a2b9400d793bd2bfc09b6fd8079524c2d257aed07c9:008ad1ceed4ba741c45e80016782b89b
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1436a16ccc5adbd58d03/netzip/RdxIE601.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip..{FE02E67C-E7ED-49C3-A6B1-6EF733ADCB72}: NameServer = 198.235.216.110 209.226.175.224
O19 - User stylesheet: (file missing)

system · October 7, 2004, 1:30am

by the way I’m using windows XP and netscape for browser.

Eddy · October 7, 2004, 8:05am

Click on the link in my signature and follow all steps on that page.
Instead of running a full system scan, run a boottime scan.
Your system is loaded with malware.

Let us know if that solved the problem.

system · October 7, 2004, 2:26pm

format c: /flattening the system and setting it up PROPERLY would be probably faster
and definitely more secure

→ read the “BACKDOOR” section in the link below “VirusRemoval”

system · October 7, 2004, 4:06pm

Hello. Thanks for your replies. Does this mean my computer is affected by a backdoor? If yes, is it active?
I tried a bootscam with avast, which detected viruses again, which I deleted but it came back after I restarted windows. I did virus scan, skybot scan, and adaware scan in safemode, but the virus is still there. When I tried to move the virus to chest in safemode, avast still says that it can’t process the file.

Is reformatting my C drive my only option left?

system · October 7, 2004, 4:08pm

here’s the new log after doing all the things I described above

Logfile of HijackThis v1.98.2
Scan saved at 12:08:03 PM, on 10/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sysentry.exe
C:\WINDOWS\System32\svh0st.exe
C:\WINDOWS\System32\zpwxv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\crsss.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\System32\dllmanger.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
c:\media.exe
C:\car.exe
C:\car.exe
c:\media.exe
C:\Documents and Settings\Jeff\Application Data\rrsa.exe
C:\Documents and Settings\Jeff\Desktop\hijackthis.exe

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://www.google.ca/”); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\qagvdv86.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\qagvdv86.slt\prefs.js)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 52.dll
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [IPInSightLAN 01] “C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe” -l
O4 - HKLM..\Run: [IPInSightMonitor 01] “C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM..\Run: [Samsung LBP SM] “C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe” /autorun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [System Uptime Server] sysentry.exe
O4 - HKLM..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM..\Run: [Microsoft Help] svh0st.exe
O4 - HKLM..\Run: [Win service] zpwxv.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM..\Run: [Windows media service] crsss.exe
O4 - HKLM..\Run: [Media Player] wmplayer.exe
O4 - HKLM..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM..\Run: [Microsoft Connection Manager] dllmanger.exe
O4 - HKLM..\RunServices: [System Uptime Server] sysentry.exe
O4 - HKLM..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM..\RunServices: [Microsoft Help] svh0st.exe
O4 - HKLM..\RunServices: [Win service] zpwxv.exe
O4 - HKLM..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM..\RunServices: [Windows media service] crsss.exe
O4 - HKLM..\RunServices: [Media Player] wmplayer.exe
O4 - HKLM..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKLM..\RunServices: [Microsoft Connection Manager] dllmanger.exe
O4 - HKLM..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Mozilla Quick Launch] “C:\Program Files\Netscape\Netscape\Netscp.exe” -turbo
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU..\Run: [Microsoft Connection Manager] dllmanger.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [Pcam] C:\Documents and Settings\Jeff\Application Data\rrsa.exe
O4 - HKCU..\RunOnce: [Windows Messenger] msmsgs.exe
O8 - Extra context menu item: &Download the file(s) in D.S.Code - C:\Documents and Settings\Jeff\Desktop\DSLite2\dl_text.html
O8 - Extra context menu item: &Download the file(s) in D.S.Code-File - C:\Documents and Settings\Jeff\Desktop\DSLite2\dl_url.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Jeff\Desktop\DSLite2\DSLite.exe
O9 - Extra ‘Tools’ menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Jeff\Desktop\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=154b113bf9603f46c731d769ed14a3bf2ae0a757064ee9bd5449e0fdd44e86d07944db10fe19f321ee033a2b9400d793bd2bfc09b6fd8079524c2d257aed07c9:008ad1ceed4ba741c45e80016782b89b
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1436a16ccc5adbd58d03/netzip/RdxIE601.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip..{FE02E67C-E7ED-49C3-A6B1-6EF733ADCB72}: NameServer = 198.235.216.110 209.226.175.224
O19 - User stylesheet: (file missing)

Eddy · October 7, 2004, 4:18pm

Have a look HERE and fix everything that is reported as bad.

And here is the result of my HJT analyzer:

ANALYZER INFORMATION

Log created on : 10-07-2004 18:43:54
Analyzer version : 7
bad.dat version : 20
good.dat version : 22
rec.dat version : 15
dasb.dat version : 4
sus.dat version : 5

CHECKING HIJACKTHIS AND INTERNET EXPLORER :

You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
INMEDIATLY visit http://windowsupdate.microsoft.com and install ALL security patches/updates.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\system32\sysentry.exe
\windows\system32\svh0st.exe
\windows\system32\zpwxv.exe
\windows\system32\winmplayer.exe
\windows\system32\crsss.exe
\windows\system32\wmplayer.exe
\windows\system32\dllmanger.exe
\media.exe
\car.exe
\car.exe
\media.exe
r3 - default urlsearchhook is missing
f1 - win.ini: run=c:\windows..\progra~1\common~1\micros~1\msinfo\msinfo.exe
n3 - netscape 7: user_pref(“browser.startup.homepage”, “http://www.google.ca/”); (c:\documents and settings\jeff\application data\mozilla\profiles\default\qagvdv86.slt\prefs.js)
n3 - netscape 7: user_pref(“browser.search.defaultengine”, “engine://c%3a%5cprogram%20files%5cnetscape%5cnetscape%5csearchplugins%5csbweb_01.src”); (c:\documents and settings\jeff\application data\mozilla\profiles\default\qagvdv86.slt\prefs.js)
o2 - bho: &elitebar - {28caeff3-0f18-4036-b504-51d73bd81abc} - c:\windows\elitetoolbar\elitetoolbar version 52.dll
o4 - hklm..\run: [system uptime server] sysentry.exe
o4 - hklm..\run: [ati video regkey] ati2vid.exe
o4 - hklm..\run: [microsoft help] svh0st.exe
o4 - hklm..\run: [win service] zpwxv.exe
o4 - hklm..\run: [microsoft media services] winmplayer.exe
o4 - hklm..\run: [windows media service] crsss.exe
o4 - hklm..\run: [microsoft connection manager] dllmanger.exe
o4 - hklm..\runservices: [system uptime server] sysentry.exe
o4 - hklm..\runservices: [ati video regkey] ati2vid.exe
o4 - hklm..\runservices: [microsoft help] svh0st.exe
o4 - hklm..\runservices: [win service] zpwxv.exe
o4 - hklm..\runservices: [microsoft media services] winmplayer.exe
o4 - hklm..\runservices: [windows media service] crsss.exe
o4 - hklm..\runservices: [microsoft connection manager] dllmanger.exe
o4 - hkcu..\run: [ati video regkey] ati2vid.exe
o4 - hkcu..\run: [microsoft connection manager] dllmanger.exe
o4 - hkcu..\run: [pcam] c:\documents and settings\jeff\application data\rrsa.exe
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=154b113bf9603f46c731d769ed14a3bf2ae0a757064ee9bd5449e0fdd44e86d07944db10fe19f321ee033a2b9400d793bd2bfc09b6fd8079524c2d257aed07c9:008ad1ceed4ba741c45e80016782b89b
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/quicktimeinstaller.exe
o16 - dpf: {4ed9ddf0-7479-4bbe-9335-5a1edb1d8a21} (mcafee.com operating system class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://207.188.7.150/1436a16ccc5adbd58d03/netzip/rdxie601.cab
o16 - dpf: {86a88967-7a20-11d2-8eda-00600818edb1} (parallelgraphics cortona control) - http://www.parallelgraphics.com/bin/cortvrml.cab
o16 - dpf: {986dde35-e955-11d0-a707-000000521958} - http://69.56.176.75/webplugin.cab
o16 - dpf: {9eb320ce-be1d-4304-a081-4b4665414bef} (mediaticketsinstaller control) - http://www.mt-download.com/mediaticketsinstaller.cab
o16 - dpf: {bcc0ff27-31d9-4614-a68e-c18e1ada4389} (dwnldgroupmgr class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
o19 - user stylesheet: (file missing)

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

\documents and settings\jeff\application data\rrsa.exe
o4 - hkcu..\run: [pcam] c:\documents and settings\jeff\application data\rrsa.exe

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hklm..\run: [tkbellexe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
o4 - hklm..\run: [sunjavaupdatesched] c:\program files\java\j2re1.4.2_04\bin\jusched.exe
o4 - hklm..\run: [media player] wmplayer.exe
o4 - hklm..\run: [windows messenger] msmsgs.exe
o4 - hklm..\runservices: [media player] wmplayer.exe
o4 - hklm..\runservices: [windows messenger] msmsgs.exe
o4 - hklm..\runonce: [windows messenger] msmsgs.exe
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - hkcu..\run: [mozilla quick launch] “c:\program files\netscape\netscape\netscp.exe” -turbo
o4 - hkcu..\run: [windows messenger] msmsgs.exe

system · October 7, 2004, 4:29pm

[quoteJ
Is reformatting my C drive my only option left?

it is the only sensible option, if you value the security of your system/data
because the system is severely compromised
→ you have several active backdoors on your system,
which allow complete control for a malicious user

see for yourself → Hijackthis-Analysis:
http://hijackthis.de/logfiles/4c0397ab137ed0e373606129306ff83f.html

several of the red nasties are active Backdoor-Worms !!

if you don’t want to/can’t format:
For a start:

fix everything with hijackthis that’s marked RED in the above analysis,
and also the F1-entry
(fixing means putting a checkmark to the respective line and then click “fix checked” )

BEFORE fixing, kill any of the processes/files corresponding to the red-entries
in hijackthis via Config → MiscTools → processManager

after fixing, schedule a boot-time scan & reboot immediately

but keep in mind that only a format & PROPER re-install of WIN
can assure that your system is clean again
→ reread the above mentioned link “VirusRemoval” → BACKDOOR

system · October 7, 2004, 9:36pm

Thank you both so much for your help!! I wish the world has more altruistic individuals like you than the authors of the malware that make ppl’s life miserable. >:(

The windows have seem to stopped popping up. I will definitely reformat my drive in the near future. Are there any specific things I should look out for when I reformat (I’ve never done it before)

Again thank you so much

Eddy · October 7, 2004, 10:05pm

Before formatting have the following ready:

Have a full installation cd of Windows (or a recovery cd)
Make sure you have a firewall and av software on cd so you can install them before going online.
Make sure you have all drivers. (mobo, soundcard, videocard, modem, network card, etc.)
Backup data you want to keep before formatting.
Have info on your network/dial up settings ready.

After formatting and installing the above, immediatly visit Windows Update and get/install ALL security patches.

Microsoft had released totally free update cd’s with many patches/updates. They stopped supplying it, but maybe someone there has one you can borrow. Will safe you a lot of download time.