Post by: Not-the-Google on March 20, 2005, 11:15:23 PM
Here's a log:
Logfile of HijackThis v1.99.1
Scan saved at 11:19:38 AM, on 3/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {742762DA-F5C6-46A2-8ADA-5B508FF16988} (p3ogset Class) - http://203.245.32.75/p3test/p3ogset.cab (http://\"http://203.245.32.75/p3test/p3ogset.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab (http://\"http://dl.sayclub.com/sayclub/sayctl/sayax.cab\")
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab (http://\"http://activexdown.paran.com/paranactivex/data/ImPlayer.cab\")
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab (http://\"http://manager.ongamenet.com/common/control/hitelontop.cab\")
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Please help!
Post by: guestolo on March 21, 2005, 12:09:20 AM
Download and save to Desktop DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post back this log
along with a fresh hijackthis log
Post by: Not-the-Google on March 21, 2005, 01:47:11 PM
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,014 items found: 1,014 files, 0 directories.
Total of file sizes: 183,865,367 bytes 175.35 M
Administrator Account = True
--------------------End log---------------------
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:51:07 AM, on 3/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\eDonkey2000\eDonkey2000.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {742762DA-F5C6-46A2-8ADA-5B508FF16988} (p3ogset Class) - http://203.245.32.75/p3test/p3ogset.cab (http://\"http://203.245.32.75/p3test/p3ogset.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab (http://\"http://dl.sayclub.com/sayclub/sayctl/sayax.cab\")
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab (http://\"http://activexdown.paran.com/paranactivex/data/ImPlayer.cab\")
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab (http://\"http://manager.ongamenet.com/common/control/hitelontop.cab\")
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Post by: guestolo on March 21, 2005, 09:05:42 PM
Find and delete these folders if found
C:\Program Files\WindUpdates <-folder
C:\Program Files\SpyKiller <-folder
Stay in safe mode
Go to Start>>Run>>type in
%temp%
Hit OK
In the new window click
EDIT>>Select All
Delete the selected
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Post back a fresh Hijackthis log
Post by: Not-the-Google on March 22, 2005, 02:12:35 PM
Logfile of HijackThis v1.99.1
Scan saved at 2:16:45 AM, on 3/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\eDonkey2000\eDonkey2000.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\HJT\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {742762DA-F5C6-46A2-8ADA-5B508FF16988} (p3ogset Class) - http://203.245.32.75/p3test/p3ogset.cab (http://\"http://203.245.32.75/p3test/p3ogset.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab (http://\"http://dl.sayclub.com/sayclub/sayctl/sayax.cab\")
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab (http://\"http://activexdown.paran.com/paranactivex/data/ImPlayer.cab\")
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab (http://\"http://manager.ongamenet.com/common/control/hitelontop.cab\")
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Neither of the folders that you asked me to delete was there.
Post by: guestolo on March 22, 2005, 11:26:57 PM
Do you still have Yahoo Messenger and Companion toolbar installed?
It doesn't look like it
Post by: Not-the-Google on March 23, 2005, 11:49:49 AM
/sleep.gif\' class=\'bbc_emoticon\' alt=\'-_-\' />
Post by: guestolo on March 23, 2005, 11:32:02 PM
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and save it too a notepad file
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
If you can't run this in normal mode restart to safe mode and run the scan
Save the log to a Notepad file
Post it back
Along with a fresh hijackthis log
Post by: Not-the-Google on March 25, 2005, 10:17:24 PM
File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINNT\localNrd.dll infected by "not-a-virus:AdWare.BiSpy.n" Virus. Action Taken: No Action Taken.
File C:\WINNT\multimpp.dll infected by "not-a-virus:AdWare.BiSpy.o" Virus. Action Taken: No Action Taken.
File C:\WINNT\preInsln.exe infected by "not-a-virus:AdWare.BiSpy.q" Virus. Action Taken: No Action Taken.
File C:\WINNT\preInsMM.exe infected by "not-a-virus:AdWare.BiSpy.o" Virus. Action Taken: No Action Taken.
File C:\WINNT\systb.exe infected by "not-a-virus:AdWare.ToolBar.ImiBar.b" Virus. Action Taken: No Action Taken.
File C:\WINNT\update13.js infected by "Trojan.JS.StartPage.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\exdl.exe infected by "not-a-virus:AdWare.BargainBuddy.j" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\exul.exe infected by "not-a-virus:AdWare.BargainBuddy.j" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\sysupd1003.exe infected by "Trojan-Clicker.Win32.Small.an" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\tksrv98.exe infected by "Trojan-Downloader.Win32.Esepor.q" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Goo Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-3cef6b6a.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc101.tmp infected by "Trojan-Downloader.Win32.Small.id" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc102.exe infected by "Trojan-Downloader.Win32.IstBar.fn" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc127.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc158.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc175.exe infected by "not-a-virus:AdWare.TotalVelocity.o" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc39.exe infected by "not-a-virus:AdWare.Altnet.g" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc62.cab infected by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc79.tmp infected by "Trojan-Downloader.Win32.Dyfuca.cs" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc80.tmp infected by "Trojan-Downloader.Win32.Dyfuca.cr" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc82.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc83.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc89.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc91.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-854245398-1580436667-839522115-1000\Dc92.exe infected by "not-a-virus:AdWare.WebRebates.g" Virus. Action Taken: No Action Taken.
File C:\temp\cdt_bbi8016.exe infected by "not-a-virus:AdWare.BargainBuddy.j" Virus. Action Taken: No Action Taken.
File C:\temp\Installer2.exe infected by "Trojan-Dropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\temp\WebRebates_CDT_InstallSilent.exe infected by "not-a-virus:AdWare.WebRebates.g" Virus. Action Taken: No Action Taken.
File C:\WINNT\browserxtras\pn\remove.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.
File C:\WINNT\localNrd.dll infected by "not-a-virus:AdWare.BiSpy.n" Virus. Action Taken: No Action Taken.
File C:\WINNT\multimpp.dll infected by "not-a-virus:AdWare.BiSpy.o" Virus. Action Taken: No Action Taken.
File C:\WINNT\preInsln.exe infected by "not-a-virus:AdWare.BiSpy.q" Virus. Action Taken: No Action Taken.
File C:\WINNT\preInsMM.exe infected by "not-a-virus:AdWare.BiSpy.o" Virus. Action Taken: No Action Taken.
File C:\WINNT\systb.exe infected by "not-a-virus:AdWare.ToolBar.ImiBar.b" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\exdl.exe infected by "not-a-virus:AdWare.BargainBuddy.j" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\exul.exe infected by "not-a-virus:AdWare.BargainBuddy.j" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\sysupd1003.exe infected by "Trojan-Clicker.Win32.Small.an" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\tksrv98.exe infected by "Trojan-Downloader.Win32.Esepor.q" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\adm.exe infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\adm25.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\adm4.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\admprog.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\dmfiles.cab infected by "not-a-virus:AdWare.Altnet.g" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\mysearch.cab infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\pmexe.cab infected by "not-a-virus:AdWare.Altnet.h" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\pmfiles.cab infected by "not-a-virus:AdWare.BrilliantDigital.1007" Virus. Action Taken: No Action Taken.
File C:\WINNT\Temp\Altnet\Setup.exe infected by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.
File C:\WINNT\update13.js infected by "Trojan.JS.StartPage.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:22:28 AM, on 3/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {742762DA-F5C6-46A2-8ADA-5B508FF16988} (p3ogset Class) - http://203.245.32.75/p3test/p3ogset.cab (http://\"http://203.245.32.75/p3test/p3ogset.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab (http://\"http://dl.sayclub.com/sayclub/sayctl/sayax.cab\")
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab (http://\"http://activexdown.paran.com/paranactivex/data/ImPlayer.cab\")
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab (http://\"http://manager.ongamenet.com/common/control/hitelontop.cab\")
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Post by: guestolo on March 25, 2005, 10:42:25 PM
Click the SAVE LIST button
Copy and paste back here the list it produces
Post by: Not-the-Google on March 26, 2005, 02:22:58 PM
Adobe Reader 6.0.1
ALZip
AOL Instant Messenger
ATI Display Driver
DAEMON Tools
DeadAIM
eDonkey2000
HijackThis 1.99.1
Java 2 Runtime Environment, SE v1.4.2
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1
Microsoft Office XP Professional with FrontPage
Microsoft VGX Q833989
MSN Messenger 6.2
NoteWorthy Composer
Outlook Express Q823353
RealPlayer
Rogue Guild KOC Clicker
Security Task Manager 1.6c
Spybot - Search & Destroy 1.3
SpywareBlaster v3.3
Starcraft
Viewpoint Media Player
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB871250
Windows 2000 Hotfix - KB873333
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB885250
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB888113
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890047
Windows 2000 Hotfix - KB890175
Windows 2000 Hotfix - KB891711
Windows 2000 Hotfix - KB891781
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player system update (9 Series)
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
Post by: guestolo on March 26, 2005, 03:24:59 PM
===Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
===Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
===Download and save to Desktop
Fix180Sh.exe (http://\"http://securityresponse.symantec.com/avcenter/Fix180Sh.exe\")
from Symantec's
Save the rest of these instructions too a Notepad file on your desktop and then Disconnect from the Internet
Access your Control Panel>>Java Plugin>>Click the Cache Tab
Clear Cache
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINNT\localNrd.dll
Select the Delete button afterwards
The Red circle and a white X
Do the same for the below entries
For any file that won't delete keep track of them, we'll need those in a bit
Do the same for these file names
C:\WINNT\multimpp.dll
C:\WINNT\preInsln.exe
C:\WINNT\preInsMM.exe
C:\WINNT\systb.exe
C:\WINNT\update13.js
C:\WINNT\woinstall.exe
C:\WINNT\system32\exdl.exe
C:\WINNT\system32\exul.exe
C:\WINNT\system32\sysupd1003.exe
C:\WINNT\system32\tksrv98.exe
C:\Documents and Settings\Goo Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-3cef6b6a.zip
C:\temp\cdt_bbi8016.exe
C:\temp\Installer2.exe
C:\temp\WebRebates_CDT_InstallSilent.exe
C:\WINNT\browserxtras\pn\remove.exe
For any file that won't delete
Use the Delete on Reboot radio button
When prompted to Delete on Reboot>>Click YES
If prompted to Reboot NOW>>Click NO until you have added the last
path to the file name
At which time>>Select YES to Reboot NOW
or Restart anyways
Please try and restart your computer into safe mode
You can do this by tapping the F8 key as the system is booting up on restart
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DON'T log off or restart yet
Ensure you also empty the Norton Protected recycle bin if you can
Try running Symantec's Fix180Sh.exe in safe mode
Save a report after it's done if you have the option
If you can't run it in safe mode try in Normal mode
If anything found restart your computer
Restart back to Normal mode
I would suggest you run another scan with eScan's MWav scan
You may even choose to delete your copy and redownload it as it updates quite frequently
Post the log from it again
Also post a fresh hijackthis log and the report from Fix180Sh.exe, if one was saved