HELP !!!! I'm pulling my hair out

[hdvablkman]

Can someone please help me. I've been overtaken by popups, virus alerts, and about.com !!! Anytime i do anything in explorer (and sometimes when I just have it open) i get a virus alert that identifies a virus was found called: Trojan.StartPage.

Immediately afterwards a seperate dialog box opens up with the letters: RUNDLL at the top. The box says "error loading" and gives me a file name behind the "error loading" message. The file location given is the same one where the virus alert says the Trojan.StartPage virus is located.

I"m new at this and have no idea how to remove the virus. I've tried Spybot, LavaSoft, DigitalDoctor, etc but they can't seem to get rid of the virus.

When i looked through the forum, i noticed people giving their "HijackThis" log when they had a problem similar to mine. If that's what i need to find and post in order for someone to help me, just let me know what i need to do.

Thanks in advance for your assistance.

HD

 

[southernlady]

hdvablkman, Welcome to TF, and the best thing you can do is to follow the instructions in this post: http://www.techist.com/showthread.php?s=&threadid=34713 and then follow these instructions:

Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder

1. 
   1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.
   
   2. Download HijackThis to the new folder:
   
   3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
   
   4. Close ALL windows except HJT
   
   5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
   
   6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER Liz

 

[hdvablkman]

Help !!! I'm pulling my hair out Cont'd

After continuing to read other posts on viruses, i did figure out how to get to and read my log from HijackThis. If anyone can help with the following, that would be great !!!

HD

Logfile of HijackThis v1.99.0
Scan saved at 8:13:04 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\6g651jyl\6g651jyl.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\110288~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110288~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
c:\windows\system32\wwrxrr.exe
c:\windows\system32\packager.exe
C:\WINDOWS\System32\zstatus.exe
c:\windows\system32\hrdycvht.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\HJT\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HDAVIS~1.HAN\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HDAVIS~1.HAN\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 172.10.1.12 s10b0012
O1 - Hosts: 172.10.1.13 s1036bfm
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {2BE8F0E0-20D6-4793-A6BB-E02889D52BBE} - C:\Program Files\6g651jyl\6g651jyl.dll
O2 - BHO: (no name) - {339A083C-57AB-4F74-B4CD-6AB36CA381E1} - C:\WINDOWS\System32\lndj.dll
O2 - BHO: (no name) - {3E7FE451-3D00-4D16-803B-AB727533C4A8} - C:\Program Files\6g651jyl\6g651jyl.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {66B41094-8E5F-4F7F-82C0-E8F6277ADD9A} - C:\Program Files\6g651jyl\6g651jyl.dll
O2 - BHO: (no name) - {787E5C57-5988-4A6E-AD74-E4087DDA8DD2} - C:\Program Files\6g651jyl\6g651jyl.dll
O2 - BHO: SDWin32 Class - {91AF5618-0BD6-4CA3-ACF1-9F93136B02DA} - C:\WINDOWS\System32\ctxbg.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O2 - BHO: (no name) - {A710A111-6D56-4B77-8331-F1A0C4364924} - C:\Program Files\6g651jyl\6g651jyl.dll
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102881891\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [C:\WINDOWS\jtrgxjxdya.exe] C:\WINDOWS\jtrgxjxdya.exe
O4 - HKLM\..\Run: [6g651jyl] C:\Program Files\6g651jyl\6g651jyl.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [wwrxrr] c:\windows\system32\wwrxrr.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitevpz32.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [HRDYCVHT] c:\windows\system32\hrdycvht.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {47B81E43-4314-4727-8C51-1907A571F422} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {79484802-CE7B-4125-851B-1F2679846D25} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {F8FB2D22-521B-4DBA-A249-49DA13F67C19} - http://www.comcast.net (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {FAB67B41-4D08-47CA-AC14-F14FCBC736BB} - C:\WINDOWS\System32\lndj.dll
O18 - Filter: text/plain - {FAB67B41-4D08-47CA-AC14-F14FCBC736BB} - C:\WINDOWS\System32\lndj.dll
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: iSeries Access for Windows Remote Command - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)

Cont'd

 

[southernlady]

You've got a mess. No wonder you are pulling your hair out! It's going to take some time to fix this and while we get the log analyzed, you managed to get an old version. We need version1.991. please. We also need you to run AdAware with the VX2 plug in. Go here to get the plugin: http://www.lavasoft.de/software/addons/vx2cleaner.shtml

And turn OFF system restore: Disable system restore Liz

 

[southernlady]

Closed due to lack of activity. Liz