# Can i delete this infected file: kernel32.dll ??



## rohanbee (May 13, 2005)

Can i delete the above file if it is infected. It is located in this place WINNT/SYSTEM. I seem to have a virus called VBS.REDLOF.A. Most of the infected files have been removed by me and the changes that were made to the registry by the virus have also been ammended and my norton av has quaranteened this file kernel32.dll. so what i need to know is this:-

1. Can i safely delete this file?
2. If i cannot can i replace it? If yes then where can i download a clean version of this file?

Thanks in advance for any input on this problem.


----------



## shwetanshu (May 13, 2005)

No u cannot delete it, its a system file. U will have to replace it using duering system boot, thats how i did it long ago.
As for getting that file, google it or there may be a i386 folder in WINDOWS directory, open it and search for kernel32.dl_ or something like this, open the file in WinRAR and extract the file, then try replacing it or u can use ur Windows XP CD. 
Also wait for more replies


----------



## imported_dheeraj_kumar (May 13, 2005)

on a similar note, my svchost.exe(i use xp home) has been affected bya  trojan, and my NOD32 antivirus says it cant quarantine or heal or delete this thing. i know this file is important to windows, but what can i do about this infection?

can i do the same what shwethanshu said?


----------



## rohanbee (May 13, 2005)

I have windows 2000 will the file be in the same directory in this os as well??


----------



## it_waaznt_me (May 13, 2005)

First .. its not Kernel32.dll .. Its Kernel.dll ..and yes you can infact you *should* delete that file ..  Reboot in safe mode and first delete Kernel.dll from Window Directory and then Search for Folder.htt (enable hidden and system view first) and delete all of them .. Redlof makes yours system very slow .. After deleting Folder.htt your folder view settings will be lost which you can re enable by running Internet Explorer setup again ..


----------



## saROMan (May 13, 2005)

also search for desktop.ini ..and delete all the files except the one..which prompt that its system file are you sure etc.......


----------



## rohanbee (May 14, 2005)

it_waaznt_me said:
			
		

> First .. its not Kernel32.dll .. Its Kernel.dll ..and yes you can infact you *should* delete that file ..  Reboot in safe mode and first delete Kernel.dll from Window Directory and then Search for Folder.htt (enable hidden and system view first) and delete all of them .. Redlof makes yours system very slow .. After deleting Folder.htt your folder view settings will be lost which you can re enable by running Internet Explorer setup again ..



No it surely is this file i re-checked in c:\WINNT\system32\kernel32.dll
Now what should i do??   I have already deleted all files detected by norton named folder.htt !


----------



## rohanbee (May 14, 2005)

Ok there is another problem which i am facing now and i want to put in a different post to differentiate it (please im not after post count so Forgive!) 
Anyways my norton has been detecting this virus called the trojan.startpage.m and has been putting all these dll files into my quarantine page. 

First, should i delete them?
Second how do i get rid of this infection as norton can't manage to clean them...just quietly quarantines?


----------



## swatkat (May 14, 2005)

Trojan.StartPage is the About:Blank browser Hijacker. This can not be removed by AntiVirus programs.
Download CleanUp! and install it. Boot in *safe mode* and run CleanUp! and click "Options", and here move the slider to "Thorough CleanUp!" and click OK to the warning message, and exit from Options. Then click "CleanUp!" to start cleaning of junk files, after cleaning, click "Close" and reboot to *Normal Mode*, download HijackThis and unzip it to dedicated folder (_like C:\HijackThisFolder\hijackthis.exe_).
Then run it and click the button _Do a System scan and save log file_. HijackThis will perform a scan and saves the log file as _hijackthis.log_ in the same folder where it is installed and it also opens the file automatically.
Copy the contents of the log file and post it.


----------



## swatkat (May 14, 2005)

I think you got infected by Kriz. It replaces the Kernel32.dll file by it's own infected file. You have to replace the original file.
Do you have the Win2000 CD or Setup files backup? If yes, follow these steps:-
1] Loctae this CAB file--> X:\i386\*driver.cab* where X:\ is your CD drive letter. Then use any compresseion tool such as WinZip or WinRAR to open the driver.cab file.
2] Here locate the file *kernel32.dll* and extract it.
3] Then place the extracted file inside this folder --> *Y:\winnt\System32\* where Y:\ is the drive where Win2000 is installed (like C:\ drive).


----------



## rohanbee (May 17, 2005)

After cleaning up my windows. Here is the hijackthis file as you wanted. Please inform what to do now !!

Logfile of HijackThis v1.99.1
Scan saved at 2:16:13 PM, on 5/17/2005
Platform: Windows 2000  (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\IoctlSvc.exe
C:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\rohan\Desktop\SP4Express_EN.exe
e:\a98be2dce84199fc2e6cb8d650605ebc\update\update.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *www.pcquest.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *www.pcquest.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PCQuest
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [TSE_PLUtil] C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINNT\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteays32.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\System32\atiupdpl.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\System32\atiupdpl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\System32\atiupdpl.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=*www.pcquest.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\Program Files\Symantec\Quarantine\Server\qserver.exe


----------



## rohanbee (May 17, 2005)

swatkat said:
			
		

> I think you got infected by Kriz. It replaces the Kernel32.dll file by it's own infected file. You have to replace the original file.
> Do you have the Win2000 CD or Setup files backup? If yes, follow these steps:-
> 1] Loctae this CAB file--> X:\i386\*driver.cab* where X:\ is your CD drive letter. Then use any compresseion tool such as WinZip or WinRAR to open the driver.cab file.
> 2] Here locate the file *kernel32.dll* and extract it.
> 3] Then place the extracted file inside this folder --> *Y:\winnt\System32\* where Y:\ is the drive where Win2000 is installed (like C:\ drive).



Ok now here is a funny thing. My Norton av corporate edt. has put this file in quarantine and when i go the folder c:\winnt\system32.dll and scan this file individuvally for virus it says it is clean. But in the real time scans it is saying it is corrupted by vbs.redlof.a???
What is happening??
When as you mentioned i unzipped and found a fresh kernel32.dll file which is around 732k and the corrupted one is around 716k. Now i should replace the older one with the fresh unzipped one in normal windows mode.
Awaiting your comments. Thanks!!


----------



## swatkat (May 17, 2005)

1] Download these tools:-
CWShredder
SpSeHjFix


2] Create a folder called SpFix on Desktop, and extract the SpSeFix.ZIP file contents to that folder.
Go to Add/Remove Programs in Control Panel, and here uninstall *Wind Updates*.


3] *Boot in safe mode*.
Run HijackThis, and put a checkmark against these entries:-

*O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteays32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm*

Then close all other open programs except HijackThis, and click "Fix Checked".

Exit from HijackThis, and delete this file:-
C:\winnt\system32\eliteays32.exe

Delete these Folders ( and also the files which may exist inside these folders ):-
C:\WINNT\EliteToolBar
C:\Program Files\Windows TaskAd


4] Run *SpSeHjFix.exe* and click "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a *log of the fix which will appear in the folder that SpSeHjfix is located in*.
Now run CWShredder and click on the "Fix" button.


5] Post a *fresh HijackThis log* and also * the log the SpSeHjFix* created.
Please keep in mind that, Startpage.m is not removed now. You have to follow above steps and post a new HijackThis log to remove the About:Blank Hijacker.

Do you know what is this file/folder --> *e:\a98be2dce84199fc2e6cb8d650605ebc\update\update.exe* , have you downloaded any updates from Microsoft or any other software?


----------



## swatkat (May 17, 2005)

rohanbee said:
			
		

> Ok now here is a funny thing. My Norton av corporate edt. has put this file in quarantine and when i go the folder c:\winnt\system32.dll and scan this file individuvally for virus it says it is clean. But in the real time scans it is saying it is corrupted by vbs.redlof.a???
> What is happening??
> When as you mentioned i unzipped and found a fresh kernel32.dll file which is around 732k and the corrupted one is around 716k. Now i should replace the older one with the fresh unzipped one in normal windows mode.
> Awaiting your comments. Thanks!!


Hi, forgot to mention it. You have to do it in Command Prompt mode. Copy the fresh kernel32.dll file to some other folder (like C:\kernel32.dll). Then restart your PC, and press F8 to get the boot menu, here choose "Command Prompt mode" and then copy the fresh kernel32.dll and paste it in System32 folder. Before doing this create a backup of current kernel32.dll file ("infected") using WinZip or any other compression tool.

Example:- Type this command at Command Prompt, if your fresh file is stored in C:\ drive.
*copy C:\kernel32.dll C:\Winnt\System32\* and press ENTER.


----------



## amitsaudy (May 17, 2005)

Boot your system using the Norton Rescue disk which you created during NAV or Systemworks setup.
Scan the entire system for viruses and deleate all the infected files by doing this you be able to delete
all infected windows system files which are memory resident and cannot be deleted under windows.
After doing this reboot your system and now boot with your windows cd and use the repair option when setup detects your windows installation and prompts for repairing the previous installation.
After setup completes boot with your hdd and now your problem should be solved without loosing any files and settings.


----------



## expertno.1 (May 18, 2005)

get another one from winnt/repair


----------



## rohanbee (May 18, 2005)

Ok here is the file after doing what you said in your post


Logfile of HijackThis v1.99.1
Scan saved at 12:44:45 PM, on 5/18/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\IoctlSvc.exe
C:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\MsgSys.EXE


C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NILaunch.exe
C:\Program Files\Caere\OmniPagePro80\opware32.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
C:\WINNT\System32\HotfixQ0306270.exe
C:\WINNT\system32\atiupdpl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\lotus\register\remind32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *www.pcquest.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *www.pcquest.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PCQuest
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [TSE_PLUtil] C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINNT\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=*www.pcquest.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - *go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\Program Files\Symantec\Quarantine\Server\qserver.exe


----------



## rohanbee (May 18, 2005)

Here is the logfile of SpSeHjFix that my computer created:-

(5/18/05 12:32:42 PM) SPSeHjFix started v1.1.2
(5/18/05 12:32:42 PM) OS: Win2000 Service Pack 2 (5.0.2195)
(5/18/05 12:32:42 PM) Language: english
(5/18/05 12:32:42 PM) Win-Path: C:\WINNT
(5/18/05 12:32:42 PM) System-Path: C:\WINNT\system32
(5/18/05 12:32:42 PM) Temp-Path: C:\DOCUME~1\rohan\LOCALS~1\Temp\
(5/18/05 12:32:48 PM) Disinfection started
(5/18/05 12:32:48 PM) Bad-Dll(IEP): (not found)
(5/18/05 12:32:48 PM) Bad-Dll(IEP) in BHO: (not found)
(5/18/05 12:32:48 PM) UBF: 4 - UBB: 0 - UBR: 11
(5/18/05 12:32:48 PM) UBF: 4 - UBB: 0 - UBR: 11
(5/18/05 12:32:48 PM) Bad IE-pages: (none)
(5/18/05 12:32:48 PM) Stealth-String not found
(5/18/05 12:32:48 PM) Not infected->END


----------



## rohanbee (May 18, 2005)

Firstly thanks swatkat for being so patient and helpful. Secondly i installed microsoft anti-spyware beta version and it did take out some threats and am posting those details as well....



			
				swatkat said:
			
		

> Go to Add/Remove Programs in Control Panel, and here uninstall *Wind Updates*.


 I could not find these that you mentioned??



			
				swatkat said:
			
		

> 3] *Boot in safe mode*.
> Run HijackThis, and put a checkmark against these entries:-
> 
> *O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
> ...


Did this some entries where missing as i informed above that i used microsoft anti-spyware beta edition.


			
				swatkat said:
			
		

> Exit from HijackThis, and delete this file:-
> C:\winnt\system32\eliteays32.exe


 Yes i deleted this file. But there is another file called elitefaw32.exe created on the same day. Do i delete this as well??



			
				swatkat said:
			
		

> Delete these Folders ( and also the files which may exist inside these folders ):-
> C:\WINNT\EliteToolBar
> C:\Program Files\Windows TaskAd


There is another folder in C:\WINNT\EliteSideBar what should i do with this??



			
				swatkat said:
			
		

> 4] Run *SpSeHjFix.exe* and click "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a *log of the fix which will appear in the folder that SpSeHjfix is located in*.
> Now run CWShredder and click on the "Fix" button.


Firstly computer did not re-boot on its own so i did it. Cwshredder came out clean. 



			
				swatkat said:
			
		

> 5] Post a *fresh HijackThis log* and also * the log the SpSeHjFix* created.
> Please keep in mind that, Startpage.m is not removed now. You have to follow above steps and post a new HijackThis log to remove the About:Blank Hijacker.
> 
> Do you know what is this file/folder --> *e:\a98be2dce84199fc2e6cb8d650605ebc\update\update.exe* , have you downloaded any updates from Micros
> oft or any other software?



Yes i downloaded some security patch and windows 2000 service pack 2 also and installed it..


----------



## rohanbee (May 18, 2005)

Spyware Scan Details
Start Date: 5/18/2005 11:12:36 AM
End Date: 5/18/2005 11:17:00 AM
Total Time: 4 mins 24 secs 

Detected Threats

WindUpdates Browser Plug-in  more information...
Details: WindUpdates downloads additional adware and displays pop-up advertising.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\winnt\system32\ide21201.vxd


SearchMiracle.EliteBar Browser Plug-in  more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
C:\protas.exe
c:\documents and settings\rohan\favorites\casino & carrers\online gaming.url
c:\documents and settings\rohan\favorites\casino & carrers\poker.url
c:\documents and settings\rohan\favorites\casino & carrers\roulette.url
c:\documents and settings\rohan\favorites\casino & carrers\slot machines.url
c:\documents and settings\rohan\favorites\casino & carrers\sport betting.url
c:\documents and settings\rohan\favorites\casino & carrers\sportsbooks.url
c:\documents and settings\rohan\favorites\finances & business\advertising.url
c:\documents and settings\rohan\favorites\finances & business\asset protection.url
c:\documents and settings\rohan\favorites\finances & business\bad credit.url
c:\documents and settings\rohan\favorites\finances & business\bankruptcy.url
c:\winnt\protector.exe
c:\documents and settings\rohan\favorites\finances & business\business opportunity.url
c:\documents and settings\rohan\favorites\finances & business\business.url
c:\documents and settings\rohan\favorites\finances & business\cash advance.url
c:\documents and settings\rohan\favorites\finances & business\credit reports.url
c:\documents and settings\rohan\favorites\finances & business\credit.url
c:\documents and settings\rohan\favorites\finances & business\debt consolidation.url
c:\documents and settings\rohan\favorites\finances & business\debt relief.url
c:\documents and settings\rohan\favorites\finances & business\e commerce.url
c:\documents and settings\rohan\favorites\finances & business\home mortgages.url
c:\documents and settings\rohan\favorites\finances & business\human resources.url
c:\documents and settings\rohan\favorites\casino & carrers\baccarat.url
c:\documents and settings\rohan\favorites\finances & business\insurance.url
c:\documents and settings\rohan\favorites\finances & business\loans.url
c:\documents and settings\rohan\favorites\finances & business\marketing.url
c:\documents and settings\rohan\favorites\finances & business\project management.url
c:\documents and settings\rohan\favorites\finances & business\refinance.url
c:\documents and settings\rohan\favorites\finances & business\small business.url
c:\documents and settings\rohan\favorites\finances & business\work at home.url
c:\documents and settings\rohan\favorites\health & insurance\adipex.url
c:\documents and settings\rohan\favorites\health & insurance\auto insurance.url
c:\documents and settings\rohan\favorites\health & insurance\business insurance.url
c:\documents and settings\rohan\favorites\casino & carrers\betting.url
c:\documents and settings\rohan\favorites\health & insurance\dental insurance.url
c:\documents and settings\rohan\favorites\health & insurance\diet pills.url
c:\documents and settings\rohan\favorites\health & insurance\hair loss.url
c:\documents and settings\rohan\favorites\health & insurance\health insurance.url
c:\documents and settings\rohan\favorites\health & insurance\home insurance.url
c:\documents and settings\rohan\favorites\health & insurance\insurance.url
c:\documents and settings\rohan\favorites\health & insurance\life insurance.url
c:\documents and settings\rohan\favorites\health & insurance\nutrition.url
c:\documents and settings\rohan\favorites\health & insurance\penis enlargement.url
c:\documents and settings\rohan\favorites\health & insurance\phentermine.url
c:\documents and settings\rohan\favorites\casino & carrers\bingo.url
c:\documents and settings\rohan\favorites\health & insurance\prozac.url
c:\documents and settings\rohan\favorites\health & insurance\quit smoking.url
c:\documents and settings\rohan\favorites\health & insurance\term life insurance.url
c:\documents and settings\rohan\favorites\health & insurance\travel insurance.url
c:\documents and settings\rohan\favorites\health & insurance\valtrex.url
c:\documents and settings\rohan\favorites\health & insurance\viagra.url
c:\documents and settings\rohan\favorites\health & insurance\weight loss.url
c:\documents and settings\rohan\favorites\health & insurance\xenical.url
c:\documents and settings\rohan\favorites\homelife & travel\adventure travel.url
c:\documents and settings\rohan\favorites\homelife & travel\air conditioning.url
c:\documents and settings\rohan\favorites\casino & carrers\blackjack.url
c:\documents and settings\rohan\favorites\homelife & travel\air purifiers.url
c:\documents and settings\rohan\favorites\homelife & travel\air travel.url
c:\documents and settings\rohan\favorites\homelife & travel\blinds.url
c:\documents and settings\rohan\favorites\homelife & travel\celebrity cruises.url
c:\documents and settings\rohan\favorites\homelife & travel\cheap hotels.url
c:\documents and settings\rohan\favorites\homelife & travel\hawaii travel.url
c:\documents and settings\rohan\favorites\homelife & travel\home equity loans.url
c:\documents and settings\rohan\favorites\homelife & travel\home mortgages.url
c:\documents and settings\rohan\favorites\homelife & travel\international travel.url
c:\documents and settings\rohan\favorites\homelife & travel\las vegas hotels.url
c:\documents and settings\rohan\favorites\casino & carrers\horse racing.url
c:\documents and settings\rohan\favorites\homelife & travel\lighting.url
c:\documents and settings\rohan\favorites\homelife & travel\mattress.url
c:\documents and settings\rohan\favorites\homelife & travel\moving.url
c:\documents and settings\rohan\favorites\homelife & travel\refinance.url
c:\documents and settings\rohan\favorites\homelife & travel\relocation.url
c:\documents and settings\rohan\favorites\homelife & travel\travel agents.url
c:\documents and settings\rohan\favorites\homelife & travel\travel insurance.url
c:\documents and settings\rohan\favorites\homelife & travel\travel.url
c:\documents and settings\rohan\favorites\casino & carrers\online betting.url
c:\documents and settings\rohan\favorites\casino & carrers\online casinos.url

Infected folders detected
c:\documents and settings\rohan\favorites\casino & carrers
c:\documents and settings\rohan\favorites\finances & business
c:\documents and settings\rohan\favorites\health & insurance
c:\documents and settings\rohan\favorites\homelife & travel

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{0A1D22C3-37BE-470C-9C29-E3074EE0574B} 
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} &EliteBar
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar maxshow 6
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar 
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar Activated 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar AccountNumber visaid
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar uninstalled no
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar _show 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar SearchIndex 0
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar AutoComplete 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar ac1 adult
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647} 
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar adult.tbr 9
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar popupblocker no
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar popups no
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar pthreshold 5
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar default.tbr 9
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar search.mnu 9
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar version 60
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar path C:\WINNT\EliteToolBar\
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar UpdateDate 18050500
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar UpdateAttempt 18050510
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\InprocServer32 C:\WINNT\EliteSideBar\EliteSideBar 08.dll
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar guid fb8754c6-04a3-4ffe-bb08-aa431a0ba3fe
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar dnsc yes
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar searchkeys |*www.yupsearch.com/search.php
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar purl *yupsearch.com/link.php?k=
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar keywordlist C:\WINNT\EliteToolBar\elitelist
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar kwver 2
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar errorreport yes
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar 
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar axparam &msbb=&protector_tool=1
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar city Mohali
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar state 16
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar country India
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar Activated 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar {825CF5BD-8862-4430-B771-0C15C5CA8DEF} 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checkrun 
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus\1 131473
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteBar Internet Explorer Toolbar 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteBar Internet Explorer Toolbar UninstallString regsvr32 /s /u "C:\WINNT\EliteToolBar\EliteToolBar version 60.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteBar Internet Explorer Toolbar DisplayName EliteBar Internet Explorer Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteBar Internet Explorer Toolbar DisplayIcon "C:\WINNT\EliteToolBar\EliteToolBar version 60.dll", 1
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus 0
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\ProgID CGBand.CGBandObj.1
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\TypeLib {8AA59E15-6E81-415C-B299-1ADFB50C8E1A}
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Version 1.0
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647}\VersionIndependentProgID CGBand.CGBandObj
HKEY_CLASSES_ROOT\clsid\{0A1D22C3-37BE-470C-9C29-E3074EE0574B}\InprocServer32 C:\WINNT\EliteSideBar\EliteSideBar 08.dll
HKEY_CLASSES_ROOT\clsid\{BE8D0059-D24D-4919-B76F-99F4A2203647} Elite SideBar
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} 
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\InprocServer32 C:\WINNT\EliteSideBar\EliteSideBar 08.dll
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Instance\InitPropertyBag 0
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus\1 131473
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus 0
HKEY_CLASSES_ROOT\clsid\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} &EliteSideBar
HKEY_CURRENT_USER\Software\LQ 
HKEY_CURRENT_USER\Software\LQ TM 10
HKEY_CLASSES_ROOT\clsid\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} 
HKEY_CURRENT_USER\Software\LQ U 0
HKEY_CURRENT_USER\Software\LQ AD 5
HKEY_CURRENT_USER\Software\LQ AC 1250
HKEY_CURRENT_USER\Software\LQ I {FBF210DE-5709-4CF5-B85A-4A124DCADF2B}
HKEY_CURRENT_USER\Software\LQ AT 86400
HKEY_CURRENT_USER\Software\LQ AM 6
HKEY_CURRENT_USER\Software\LQ TR 86400
HKEY_CURRENT_USER\Software\LQ leck trump
HKEY_CURRENT_USER\Software\LQ country India
HKEY_CURRENT_USER\Software\LQ city Mohali
HKEY_CLASSES_ROOT\clsid\{28CAEFF3-0F18-4036-B504-51D73BD81ABC}\InprocServer32 C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
HKEY_CURRENT_USER\Software\LQ state 16
HKEY_CURRENT_USER\Software\LQ RX 1
HKEY_CURRENT_USER\Software\LQ RX2.8 1
HKEY_CURRENT_USER\Software\LQ RX2.9 1
HKEY_CURRENT_USER\Software\LQ RX3.0 1
HKEY_CURRENT_USER\Software\LQ RX3.1 1
HKEY_CURRENT_USER\Software\LQ RX3.2 1
HKEY_CURRENT_USER\Software\LQ RX3.3 1
HKEY_CURRENT_USER\Software\LQ FU3.4 1
HKEY_CURRENT_USER\Software\LQ FU3.5 1
HKEY_CLASSES_ROOT\clsid\{28CAEFF3-0F18-4036-B504-51D73BD81ABC}\InprocServer32 ThreadingModel Apartment
HKEY_CURRENT_USER\Software\LQ FU3.6 1
HKEY_CURRENT_USER\Software\LQ LU3.7 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81ABC}\InprocServer32 C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81ABC}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} &EliteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} &EliteBar
HKEY_CLASSES_ROOT\clsid\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} &EliteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar 
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar AccountNumber visaid
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar uninstalled no
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar _show 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar SearchIndex 0
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar AutoComplete 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar ac1 adult
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar adult.tbr 9
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar popupblocker no
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} 
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar popups no
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar pthreshold 5
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar default.tbr 9
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar search.mnu 9
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar version 60
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar path C:\WINNT\EliteToolBar\
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar UpdateDate 18050500
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar UpdateAttempt 18050510
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar guid fb8754c6-04a3-4ffe-bb08-aa431a0ba3fe
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar dnsc yes
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar searchkeys |*www.yupsearch.com/search.php
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar purl *yupsearch.com/link.php?k=
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar keywordlist C:\WINNT\EliteToolBar\elitelist
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar kwver 2
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar errorreport yes
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar 
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar axparam &msbb=&protector_tool=1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar city Mohali
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar state 16
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar country India
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar Activated 1
HKEY_LOCAL_MACHINE\Software\Elitum 
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar UpdateDate 17050500
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar version 08
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar path C:\WINNT\EliteSideBar\
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar UpdateAttempt 18050511
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar url *yupsearch.com/sb.php?qq=


Windows TaskAd Adware  more information...
Details: Windows TaskAd is advertisement delivery software that provides targeted advertising offers.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
C:\Program Files\Windows TaskAd\WinTaskAd.exe
c:\program files\windows taskad\info.txt
c:\program files\windows taskad\winproject.dll
c:\program files\windows taskad\winsched.exe

Infected folders detected
c:\program files\windows taskad

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows TaskAd 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows TaskAd 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows TaskAd 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows TaskAd 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows TaskAd 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows TaskAd 


Detected Spyware Cookies
No spyware cookies were found during this scan.


----------



## swatkat (May 18, 2005)

Download Webroot Spysweeper and CCleaner and install them.

1] Run HijackThis and click "Do only a System scan". Then select these entries:-

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php*

Then close all other open programs except HijackThis, and click "Fix Checked" in HijackThis.

2] Exit from HijackThis. Yes, delete these files and folders:-
C:\WINNT\EliteSideBar
elitefaw32.exe

Delete these files if you find it:-
C:\protas.exe
c:\winnt\protector.exe

And go this folder *c:\documents and settings\rohan\favorites\* and delete *all* folders and files inside the *Favorites* folder. (Do not delete the Favorites folder!)

3] Run WebRoot SpySweeper, Click "Options" button and then click "Sweep Options" tab, and here select all the Hard Disk Partitions.
Select these items in the "What to Sweep" Options box:-
"Sweep Memory"
"Sweep Registry"
"Sweep All User Accounts"
"Do Not Sweep System Restore Folders"

In the "Where to Sweep" Options box, select "Sweep All Folders on selected drives".
Then click "Sweep Now" button in left pane, and click "Start". After the scan, remove all the malwares it may find.

Run CCleaner, click "Options" button and here go to "Settings" tab and *uncheck* the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner".


4] Restart the System. Run HijackThis again and post a fresh log.


Did you run MS AntiSpyware *before* fixing with HijackThis? Also, did WebRoot Spysweeper found anything? IS the Kernel32.dll is alright now (Is Norton detecting any virus)?


----------



## rohanbee (May 18, 2005)

I have not touched the kernel32 file yet. Just shot of an e-mail to norton as well. Lets see their response. 

Yes, i did run Ms antispyware before fixing with Hijackthis. But is that bad/wrong???

I am downloading the softwares now and will revert back to you..........
By the way should keep the softwares such as cwshredder and spfix??? ..........


----------



## swatkat (May 18, 2005)

No problems in running MS AntiSpyware before HijackThis, but it will remove some baddies, due to this they do not appear in HijackThis, that's all.

Yes, you can keep CWShredder, SpSeHjFix.


----------



## swatkat (May 18, 2005)

To *prevent* the installation of bad Tracking cookies, BHOs, Toolbars, ActiveX components, you can use SpywareBlaster. Just run it, and click "_Enable All Protection_" and close it! It prevents the installations of bad extensions for Internet Explorer.

After fixing using HijackThis, if possible, perform an online virus scan at Panda ActiveScan, and *save the log file it gives*.
Then post this log along with the HijackThis log.


----------



## rohanbee (May 18, 2005)

Its not about keeping the softwares i just wanna make sure that my Pc doesn't get cluttered. Just tell me how i can further use these softwares to do some preventive protection of my Pc rather than be in a situation like this one..........


----------



## rohanbee (May 18, 2005)

Here is what spy sweeper gave up: -- 
04:06 PM:  |Â·Â·Â·  Start of Session, Wednesday, May 18, 2005  Â·Â·Â·|
04:06 PM:  Spy Sweeper 3.5.0  (Build 199) started
04:06 PM:  Updating spyware definitions
04:07 PM:  There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
04:07 PM:  Sweep initiated using definitions version 421
04:07 PM:  Sweeping memory for threats.
04:08 PM:  Memory sweep has completed.  Elapsed time 00:00:24
04:08 PM:  Registry sweep initiated.
04:08 PM:    Found: 25 EliteBar registry traces.
04:08 PM:    Found: 2 EliteBar SearchMiracle Hijacker registry traces.
04:08 PM:  Registry sweep completed.  Elapsed time 00:00:46
04:08 PM:  Full sweep on all local drives initiated.
04:08 PM:    Now sweeping drive C:
04:12 PM:      Found Cookie: revenue.net Cookie, version 1, c:\documents and settings\rohan\cookies\rohan@revenue[1].txt
04:22 PM:    Found: 1 file traces.
04:22 PM:  Full Sweep has completed.  Elapsed time 00:15:04
             20,700 files swept
             28 item traces located
04:25 PM:  Removal process initiated
04:25 PM:    Quarantining: EliteBar
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq
04:25 PM:      Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser||{825cf5bd-8862-4430-b771-0c15c5ca8def}
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||tm
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||ad
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||am
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||at
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||ac
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||u
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||i
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||tr
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||leck
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||country
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||city
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||state
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx2.8
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx2.9
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx3.0
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx3.1
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx3.2
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||rx3.3
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||fu3.4
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||fu3.5
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||fu3.6
04:25 PM:      Registry: HKEY_CURRENT_USER\software\lq||lu3.7
04:25 PM:    Quarantining: EliteBar SearchMiracle Hijacker
04:25 PM:      Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer||searchurl
04:25 PM:      Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main||search bar
04:25 PM:    Quarantining: revenue.net Cookie
04:25 PM:      Cookie: c:\documents and settings\rohan\cookies\rohan@revenue[1].txt
04:25 PM:    Cleaning Traces
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser|| ({825cf5bd-8862-4430-b771-0c15c5ca8def})
04:25 PM:      Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main|| (search bar) || (*ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm)
04:25 PM:      Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer|| (searchurl) || (*ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (u)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (tr)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (tm)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (state)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.3)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.2)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.1)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.0)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx2.9)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx2.8)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (rx)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (lu3.7)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (leck)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (i)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (fu3.6)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (fu3.5)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (fu3.4)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (country)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (city)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (at)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (am)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (ad)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq|| (ac)
04:25 PM:      Removing registry: HKEY_CURRENT_USER\software\lq
04:25 PM:  Removal process completed.  Elapsed time 00:00:26
           3 items (28 traces) quarantined.


----------



## swatkat (May 19, 2005)

Ok...Perform a full system scan using Norton, and check whether it detecs the *Startpage.m* or any other spyware/virus.
Also, post a fresh HijackThis log.


----------



## Charley (May 19, 2005)

@Swatkat, give me a check on this log too. Tks.

Logfile of HijackThis v1.99.1
Scan saved at 1:14:03 PM, on 5/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PKWARE\PKZIPW\pkzipw.exe
C:\PKTMP000.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - *surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - *www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = dataone
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 61.1.96.69,61.1.96.71


----------



## rohanbee (May 20, 2005)

swatkat said:
			
		

> Ok...Perform a full system scan using Norton, and check whether it detecs the *Startpage.m* or any other spyware/virus.
> Also, post a fresh HijackThis log.



Ok as per your instructions and more did the following:-
 Did a norton av scan with latest updated virus definitions. It shows the system as completely clean. One file still in quarantine kernel32.dll (iam still thinking over wether to do do what you told me    scared shitless    as to what might happen if things go wrong)

 Did scans with microsfot anti-spyware -- nothing detected

 Scanned with Spysweeper -- 1 item found elite search bar....?? every time i run spy sweeper it finds it. This time i deleted from quarantine as well. Running another sweep!

 Downloaded Windows 2000 service pack 4 and re-started to take effect.


----------



## rohanbee (May 20, 2005)

Swatkat here is my latest file..........

Logfile of HijackThis v1.99.1
Scan saved at 5:01:15 PM, on 5/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\IoctlSvc.exe
C:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NILaunch.exe
C:\Program Files\Caere\OmniPagePro80\opware32.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
C:\WINNT\System32\HotfixQ0306270.exe
C:\WINNT\system32\atiupdpl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\lotus\register\remind32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *www.pcquest.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *www.pcquest.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PCQuest
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [TSE_PLUtil] C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINNT\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=*www.pcquest.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - *go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\Program Files\Symantec\Quarantine\Server\qserver.exe


----------



## swatkat (May 20, 2005)

Hi,
Log looks clean!  Now what about Kernel32.dll issue? Did you get any reply from Norton?


----------



## rohanbee (May 21, 2005)

Thank the Lord, god & you swatkat.

Norton: Nope nothing till now. They do you give you a warnig that reply's can be delayed for many days due to heavy on-slought of pending inquires.    yes, thats quite conviniet for them isn't it.

about the kernel32.dll can you try it on your system before i try it    
just kidding!!!


----------



## amitsaudy (May 21, 2005)

Maan that sure was a post mortem of the OS.
I ve been followin this thread right from the start
n its been very informative(Thanx to Swatkat)


----------



## rohanbee (May 21, 2005)

Yes and poor me. No thanks to the guy who had to actually suffer so that others could learn  . I would not want this hell again.  

Also Swat my Spysweeper is going to run out of its free trial in 12 days. Is there any other free spyware apart from SpyBot that i can use. 
Or...
should i pay spysweeper and get the subscription!!


----------

