Post by: TSD151 on April 11, 2005, 04:46:58 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:56:53 AM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\Services\{37BD08E2-D894-427F-92EE-32B84D2D958D}\SVCHOST.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\ktfaqiq.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Documents and Settings\T & A\Start Menu\Programs\Startup\winupdate09854745[1].exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG05.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cmdtel.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\DOCUME~1\T&A~1\LOCALS~1\Temp\tmp1D.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\T&A~1\LOCALS~1\Temp\tmp2C.tmp
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{AC17DF38-43A8-441B-A8EF-6EE83DB35B48}\SVCHOST.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [hssdali] c:\windows\nfxouiy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: winupdate09854745[1].exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: NTDBGTOOL - {0150A00B-2948-4307-B95E-7AC92526A7E4} - C:\WINDOWS\System32\sssttask.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 11, 2005, 10:52:07 PM
Access your Add/Remove programs and remove if found
P2P Networking Usually associated with Kazaa, a useless addon that can cause slow browsing experiences
If prompted to remove Alnets Do so
If not remove altnets too
Also remove InstaFinderK
If you didn't purposely install MyWay
I would remove it too
Restart your computer if all or any are removed
Back in Windows
===Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
====Download and UNZIP to a folder
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet
===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later
Restart back to Normal mode
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back in Windows
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
After installation--Click the Update button on the left
ThenSEARCH FOR UPDATES
Check and Download all updates
Afterwards, click the Search and Destroy button
Check for Problems---Let it complete it's scan
FIX everything in RED>>Should be checked by default
Restart the computer again to finish the cleaning process
Post back a fresh Hjackthis log afterwards and we'll go from there
Could you also post the log from hsfix.bat>>C:\hslog.txt
Post by: TSD151 on April 12, 2005, 01:35:19 PM
Also On my desktop I now have the following message:
[color=\"red\"]Fatal error in IE has occured at 0028:c0011E36 in VXD VMM(01) + 00010e36 Error was caused by Trojan-Spy.html.smitfrau.c[/color]
Is this something that is a part of this Dao Search thing?
Post by: guestolo on April 12, 2005, 01:58:09 PM
May be gone now, or related files are gone
Not sure about the download of Ad-Aware
Can you cancel it and download it from
This link (http://\"http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/AdAware-SE-Personal.shtml\")
It's in zipped format, so you'll have to unzip it and then Install and update
May be best after you check for updates
You restart into Safe mode and run the Full System Scan
EDIT>>If you have problems updating Ad-Aware, let me know
I'll upload the latest definitions for you
Post by: TSD151 on April 12, 2005, 03:44:07 PM
Post by: guestolo on April 12, 2005, 03:49:20 PM
Don't worry about Ad-Aware at this time
Go onto the rest of the instructions with Spybot
Try this link if the other one doesn't work for you
http://spybot.zone-x.com/spybotsd13.exe (http://\"http://spybot.zone-x.com/spybotsd13.exe\")
Again, make sure you check for updates with Spybot after installation
If you can't get the scan to run in normal mode
Restart into safe mode after it's installed and updated and run the scan
Post back with a fresh Hijackthis log afterwards
Regardless of what you could or couldn't do
Post by: TSD151 on April 13, 2005, 11:34:20 AM
Logfile of HijackThis v1.99.1
Scan saved at 9:28:26 AM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\wisvccz.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\wp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [acxbjts] c:\windows\amxddlm.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: winupdate09854745[1].exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: NTDBGTOOL - {0150A00B-2948-4307-B95E-7AC92526A7E4} - C:\WINDOWS\System32\sssttask.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 13, 2005, 09:41:08 PM
If you didn't download, download it now!!!!
From the link I supplied you earlier
Unzip as I mentioned above
If you did run it, Navigate to
C:\hslog.txt <--this file
Right click on it and rename it too hslog1.txt
After that is done
==Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
==Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link I supplied for a more detailed explanation
==In SAFE MODE==
==Next: Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Loading Outpost Connections
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
Afterwards
==Find and delete these files or folders if found, take a close look at the file names
don't delete something because it looks similiar
C:\WINDOWS\system32\init32m.exe <-this file
C:\WINDOWS\System32\cmdtel.exe <-file
C:\WINDOWS\System32\wisvccz.exe <-file
C:\WINDOWS\System32\spoolsrv32.exe <-file, exact name
C:\WINDOWS\System32\sssttask.dll <-file
C:\WINDOWS\system32\wldr.dll <-file
c:\windows\system32\taskmg.exe <-file, exact name
c:\windows\amxddlm.exe <-file
C:\windows\ktfaqiq.exe <-file
C:\wp.exe <-file
C:\Documents and Settings\T & A\Start Menu\Programs\Startup\winupdate09854745[1].exe <-file
C:\Program Files\MyWay <-folder
C:\Program Files\InstaFinderK <-folder
c:\program files\altnet <-folder
C:\WINDOWS\System32\P2P Networking <-folder
C:\WINDOWS\System32\Services\{AC17DF38-43A8-441B-A8EF-6EE83DB35B48} <-folder
C:\Program Files\Security iGuard <-folder
===Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste or Type the next entry in bold to the blank open field box and hit OK
KDE
==When that's done, run Windows CleanUp! again in safe mode
When it's done scanning for files
Don't Log off yet
Instead
==Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what you find
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [acxbjts] c:\windows\amxddlm.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: winupdate09854745[1].exe
O9 - Extra button: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKC
O21 - SSODL: NTDBGTOOL - {0150A00B-2948-4307-B95E-7AC92526A7E4} - C:\WINDOWS\System32\sssttask.dll
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later
Restart back to Normal mode
Don't open a browser yet
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked
Run another scan with Hijackthis and post the log
POST the logs from HSFix.bat
C:\hslog.txt <--this log
and
C:\hslog1.txt <-this log
Could you also let me know what other files or folder you see in the below folder
C:\WINDOWS\System32\Services <-this folder
Look over what I asked you to do above
Post back all required logs, keep me updated
It helps both you and myself
Do what you can from the above, let me know what you couldn't accomplish after
Post by: TSD151 on April 14, 2005, 11:55:43 AM
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
When I got to the part in your instructions about double clicking the outpost connections...I did and when the next window came up, nothing was running for me to STOP the service. I still changed the startup type to disabled and thats all that happened, the type changed to disabled and nothing more...your instructions made it sound as something would then run or list some files for me to find and delete. I tried to hit the start button once the type was changed to disabled, but I received the following alert:
Could not start the loading outpost connections service on local computer. Error 1084: This service cannot be started in safe mode.
I didn't know if I should continue beyond that point so I stopped there.
Thank you for your continued support.
Post by: guestolo on April 14, 2005, 05:31:05 PM
That would be opposite of what I asked you to do
I guess I should say, STOP the service if running
The files and folders to delete, you will have to manually navigate to them on your computer and remove them
Again, read over what I asked
Do what you can from the instructions I posted
Remember my last comment
Quote
Do what you can from the above, let me know what you couldn't accomplish after
Post by: TSD151 on April 14, 2005, 08:03:45 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:56:56 PM, on 4/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\igafoaj.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\windows\mlywdop.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pthihoo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [cjnvqev] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjvggol] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gkbyegr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swcyqoi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [taxuayf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wdrcgqp] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvdsxmt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [comcnfv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [coijxwn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gnbwsmn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iicisty] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [npcuxfm] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lwitmgh] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ohjpjuv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvsrmfr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hucerrj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [aldeesa] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dtxfgyq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ojdfpfi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [xmqlnrq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pdusyfn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [magaptx] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vpeawea] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iineube] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qybbedn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [maopbyw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mtwajyv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [nximrbt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [frkbkow] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dqfkefo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ocvglvl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pqxfvyr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [snrjnph] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjcmskc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ystaqag] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wddcowb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ewmjmfj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qscbnsf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qgvwqkd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [obvypkk] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vyrokxn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [sfpkhcu] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hlcgffr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vvqxega] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iprqkia] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swvgrwd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iaaebrt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ukhruyg] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lrcpqcn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ochxdul] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [abvrxxv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iraklpi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iewecgs] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vcilxhi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [eebdkhn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ckxfdmj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [alerqgo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [atitaje] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gqubxjy] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lvsievb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [shgpbkq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [bklbain] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [fniqpmf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ikvbalc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [slkjptw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qfvqcku] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [kfmwjks] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [jiaebkl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lltdteb] c:\windows\ivdsybm.exe
O4 - HKCU\..\Run: [pciywqt] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [awrgctm] c:\windows\jxwtqgy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Here is the last HSfix log:
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
Most of the stuff you said to find and delete, I was able to, but there were some I could not locate. Also at the end of your instructions, where you said to go to control panel and into display properties...I was unable to complete that part because there was no Desktop tab???
Thanks again for your support and patience.
Post by: guestolo on April 14, 2005, 09:52:24 PM
Create a fresh restore point so we have something to fall back on, just in case we must restore your computer
Start>>All Programs>>Accessories>>System Tools>>System Restore
Create a New Restore point
Name it and click Create
Afterwards
Any files you have personally saved on the desktop, please copy and paste them to a folder such as MyDocuments
Let's do the following
==Download and UNZIP to a folder Fixdisplay.zip
So you now have Fixdisplay.reg unzipped to a folder
[attachment=143:attachment]
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Find and delete these files or folders if found
C:\windows\igafoaj.exe <-file
c:\windows\ivdsybm.exe <-file
c:\windows\ovfxudw.exe <-file
c:\windows\jxwtqgy.exe <-file
C:\windows\mlywdop.exe <-file
C:\windows\desktop.html <-file
C:\windows\Web\desktop.html <-file
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKCU\..\Run: [pthihoo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [cjnvqev] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjvggol] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gkbyegr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swcyqoi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [taxuayf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wdrcgqp] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvdsxmt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [comcnfv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [coijxwn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gnbwsmn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iicisty] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [npcuxfm] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lwitmgh] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ohjpjuv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvsrmfr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hucerrj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [aldeesa] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dtxfgyq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ojdfpfi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [xmqlnrq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pdusyfn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [magaptx] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vpeawea] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iineube] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qybbedn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [maopbyw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mtwajyv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [nximrbt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [frkbkow] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dqfkefo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ocvglvl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pqxfvyr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [snrjnph] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjcmskc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ystaqag] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wddcowb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ewmjmfj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qscbnsf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qgvwqkd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [obvypkk] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vyrokxn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [sfpkhcu] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hlcgffr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vvqxega] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iprqkia] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swvgrwd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iaaebrt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ukhruyg] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lrcpqcn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ochxdul] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [abvrxxv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iraklpi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iewecgs] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vcilxhi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [eebdkhn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ckxfdmj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [alerqgo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [atitaje] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gqubxjy] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lvsievb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [shgpbkq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [bklbain] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [fniqpmf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ikvbalc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [slkjptw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qfvqcku] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [kfmwjks] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [jiaebkl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lltdteb] c:\windows\ivdsybm.exe
O4 - HKCU\..\Run: [pciywqt] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [awrgctm] c:\windows\jxwtqgy.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on Fixdisply.reg and allow to merge to the registry
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Restart your computer back to Normal mode
Again, try the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked
If you are now capable of downloading and running Ad-Aware, do so from the links I supplied
Remember to check for updates and Restart the computer after running the scan and fixing the objects
Post back with a fresh hijackthis log afterwards
Post by: TSD151 on April 15, 2005, 12:34:59 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:30:37 AM, on 4/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [blcxref] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [oxdcxlg] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [bgorxkd] c:\windows\rhdhnjt.exe
O4 - HKCU\..\Run: [lacodij] c:\windows\fvafoqd.exe
O4 - HKCU\..\Run: [uqjiwwe] c:\windows\jwcvbaw.exe
O4 - HKCU\..\Run: [kpahdbh] c:\windows\lefiiwp.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 15, 2005, 11:41:27 PM
Afterwards, printh the rest of this out or save it too a notepad file
Disconnect from the Internet
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
O4 - HKCU\..\Run: [blcxref] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [oxdcxlg] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [bgorxkd] c:\windows\rhdhnjt.exe
O4 - HKCU\..\Run: [lacodij] c:\windows\fvafoqd.exe
O4 - HKCU\..\Run: [uqjiwwe] c:\windows\jwcvbaw.exe
O4 - HKCU\..\Run: [kpahdbh] c:\windows\lefiiwp.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Afterward, double click on Fixdisply.reg and allow to merge to the registry
Restart your computer
Find and delete these files if they exist
c:\windows\ovfxudw.exe
c:\windows\rhdhnjt.exe
c:\windows\fvafoqd.exe
c:\windows\jwcvbaw.exe
c:\windows\lefiiwp.exe
Again, try the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked
Post back a fresh Hijackthis log afterwards
Post by: TSD151 on April 16, 2005, 03:50:35 PM
I was unable to Locate:
04 - HKCU\..\Run: [kpahdbh] c:\Windows\lefiiwp.exe
Also, after restarting the computer, I was unable to locate:
c:\Windows\ovfxudw.exe
And last but not least, whenever I try to log off or shut down, I am receiving an End Program - Win Min window. It will then say, This program is not responding, and I have to click End Now.
Here is my latest Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 1:39:19 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\yokrxqu.exe
C:\windows\yokrxqu.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\dpxddch.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yslovyn] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [kkeosjq] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [opadxly] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [cdymlgk] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [tmvpafl] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [wofvcjj] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [xwyrcab] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ppmhwex] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [rbaehgx] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [hmrllvp] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [fnowgsc] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [vdmobdb] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ikocagy] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [uyjngrk] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [acmeabp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mbmlowv] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [wfqdeue] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [rmxtmvp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [iomhkyq] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [kptslyk] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eslrdrx] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mwnsnip] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [pqvbbps] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [uojhivg] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eqtdqkr] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [qcrufir] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mlluhic] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wunabyc] c:\windows\hrvkvun.exe
O4 - HKCU\..\Run: [xltdxuj] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [swvnmgu] c:\windows\ktvxskx.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 16, 2005, 06:19:32 PM
May be related too a newer infection
Can you download and UNZIP to desktop or a folder
RKFiles
[attachment=148:attachment]
==Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
Try this
Copy and paste these instructions to a Notepad file then close all browser windows
Be prepared to Restart into safe mode, I'll be asking you to do that shortly
Open Hijackthis>>Open Misc tools sections>>Open Process manager
Kill these processes
C:\windows\yokrxqu.exe <-all occurances
C:\windows\dpxddch.exe
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
O4 - HKCU\..\Run: [yslovyn] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [kkeosjq] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [opadxly] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [cdymlgk] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [tmvpafl] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [wofvcjj] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [xwyrcab] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ppmhwex] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [rbaehgx] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [hmrllvp] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [fnowgsc] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [vdmobdb] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ikocagy] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [uyjngrk] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [acmeabp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mbmlowv] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [wfqdeue] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [rmxtmvp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [iomhkyq] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [kptslyk] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eslrdrx] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mwnsnip] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [pqvbbps] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [uojhivg] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eqtdqkr] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [qcrufir] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mlluhic] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wunabyc] c:\windows\hrvkvun.exe
O4 - HKCU\..\Run: [xltdxuj] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [swvnmgu] c:\windows\ktvxskx.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
c:\windows\ktvxskx.exe
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Do the same for these paths to the file names
c:\windows\hrvkvun.exe
c:\windows\xgmtonh.exe
C:\windows\yokrxqu.exe
c:\windows\gcvbknr.exe
c:\windows\xaicctk.exe
C:\windows\dpxddch.exe
Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
At this time Restart into Safe mode by tapping the F8 key as the system is restarting
In safe mode, double click on RKfiles.bat and let it finish scanning
Be patient
When it's done, it will create a log, by default the log is saved at
C:\log.txt
Restart back to Normal mode
Back in windows
Could you also download and UNZIP
Find_It's.zip (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443\")
After unzipped open the folder Find_It's
Double click on Find_It's.bat and wait for the log
Post that log back here along with the log from RKfiles.bat>>C:\log.txt
Post back a fresh Hijackthis log too
Try not too restart the computer again after posting the above 3 logs
Post by: TSD151 on April 16, 2005, 07:44:29 PM
Here are the logs:
***Find_it's:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Be carefull
Helpers Only delete file's in this section if both criteria are matched
Only if file show's in both 1 and 2 (string search's)
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
Be carefull
Helpers Only delete file's in this section if both criteria are matched
Only if file show's in both 1 and 2 (string search's)
»»»»»»»»»»»»»»»»»»»»»»»» Possible SAHAgent Files found »»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Volume in drive C has no label.
Volume Serial Number is D033-3910
Directory of C:\WINDOWS\system32
Volume in drive C has no label.
Volume Serial Number is D033-3910
Directory of C:\WINDOWS\SYSTEM32
Volume in drive C has no label.
Volume Serial Number is D033-3910
Directory of C:\WINDOWS\SYSTEM
~Edited unneeded second log~
Latest Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:41:47 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\bfyania.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\qaqbnkw.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cfvsxyq] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [vpyphce] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [pibibym] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xvdsglg] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ihdkupl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [ldaeqtv] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [dwhrfsx] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [qxlktlx] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [vcaasfn] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [bhjpmho] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ckivrgl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [yiscgnn] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wgssvxc] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mukoahh] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [plcqosy] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [dvcftky] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xxmqpti] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [oehdxfv] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [hxvfhqj] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [tflindc] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [sebfwiq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [jpnttlr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [luxcfaw] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xfpuvtv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lblvvlv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mqjjwoh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lmwnugq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [goirkqd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [gsohtyv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xwcgtrh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mejlbse] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [yrijkfd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [fhrjxds] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [djhtktr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mokdxje] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svfrvyr] c:\windows\gehbouq.exe
O4 - HKCU\..\Run: [xollrjm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mvguecn] c:\windows\mbfrbem.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Will leave computer on, I will check for your post tomorrow, thanks again for all your help, you're like a Computer Surgeon.
Post by: guestolo on April 16, 2005, 07:51:41 PM
Both RKFiles and Find_It's both make logs to C:\Log.txt
Rkfiles log got overwritten by Find_It's log
Edited out restarting into safe mode
May not be necessary
Run Rkfiles.bat again, let it finish scanning and post back the log it produces
C:\Log.txt
Could you also run a free online virus scan at Panda's
Save the incident report when it's done and post it back here, thanks
http://www.pandasoftware.com/products/acti...n_principal.htm (http://\"http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm\")
And a fresh Hijackthis log
Sorry about that
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Post by: TSD151 on April 17, 2005, 12:42:28 PM
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cmdteld.exe: UPX!
C:\WINDOWS\system32\dqaateqe.exe: UPX!
C:\WINDOWS\system32\dqhrijko.exe: UPX!
C:\WINDOWS\system32\gshtqjiq.exe: UPX!
C:\WINDOWS\system32\gslnbaaa.exe: UPX!
C:\WINDOWS\system32\init32m.exe: UPX!
C:\WINDOWS\system32\jhjoaaaa.exe: UPX!
C:\WINDOWS\system32\sgevcaaa.exe: UPX!
C:\WINDOWS\system32\srpcsrv32.dll: UPX!
C:\WINDOWS\system32\jndaaaaa.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\bfyania.exe: UPX!
C:\WINDOWS\brgxteo.exe: UPX!
C:\WINDOWS\cfvnpbm.exe: UPX!
C:\WINDOWS\evumfmx.exe: UPX!
C:\WINDOWS\gehbouq.exe: UPX!
C:\WINDOWS\gvvndux.exe: UPX!
C:\WINDOWS\hglwjlm.exe: UPX!
C:\WINDOWS\kadxqet.exe: UPX!
C:\WINDOWS\mbfrbem.exe: UPX!
C:\WINDOWS\mqgtbiv.exe: UPX!
C:\WINDOWS\nfxouiy.exe: UPX!
C:\WINDOWS\nmboswh.exe: UPX!
C:\WINDOWS\ntasjoi.exe: UPX!
C:\WINDOWS\ocqwhuv.exe: UPX!
C:\WINDOWS\oyglvea.exe: UPX!
C:\WINDOWS\pcvdkdb.exe: UPX!
C:\WINDOWS\powkaix.exe: UPX!
C:\WINDOWS\qaqbnkw.exe: UPX!
C:\WINDOWS\rggrhqo.exe: UPX!
C:\WINDOWS\rqtymkh.exe: UPX!
C:\WINDOWS\sgstvvq.exe: UPX!
C:\WINDOWS\swhhnjo.exe: UPX!
C:\WINDOWS\swjspmr.exe: UPX!
C:\WINDOWS\swlinrb.exe: UPX!
C:\WINDOWS\sys1210.exe: UPX!
C:\WINDOWS\sys1214.exe: UPX!
C:\WINDOWS\sys1217.exe: UPX!
C:\WINDOWS\sys1222.exe: UPX!
C:\WINDOWS\sys1225.exe: UPX!
C:\WINDOWS\sys1227.exe: UPX!
C:\WINDOWS\sys153.exe: UPX!
C:\WINDOWS\sys156.exe: UPX!
C:\WINDOWS\sys159.exe: UPX!
C:\WINDOWS\sys281.exe: UPX!
C:\WINDOWS\sys284.exe: UPX!
C:\WINDOWS\sys287.exe: UPX!
C:\WINDOWS\sys3059.exe: UPX!
C:\WINDOWS\sys312.exe: UPX!
C:\WINDOWS\sys316.exe: UPX!
C:\WINDOWS\sys3419.exe: UPX!
C:\WINDOWS\sys3422.exe: UPX!
C:\WINDOWS\sys3425.exe: UPX!
C:\WINDOWS\sys4142.exe: UPX!
C:\WINDOWS\sys4145.exe: UPX!
C:\WINDOWS\sys4147.exe: UPX!
C:\WINDOWS\sys4434.exe: UPX!
C:\WINDOWS\sys4440.exe: UPX!
C:\WINDOWS\sys4443.exe: UPX!
C:\WINDOWS\sys4655.exe: UPX!
C:\WINDOWS\sys4658.exe: UPX!
C:\WINDOWS\sys471.exe: UPX!
C:\WINDOWS\sys5832.exe: UPX!
C:\WINDOWS\sys5835.exe: UPX!
C:\WINDOWS\sys5838.exe: UPX!
C:\WINDOWS\sys953.exe: UPX!
C:\WINDOWS\sys956.exe: UPX!
C:\WINDOWS\sys958.exe: UPX!
C:\WINDOWS\uccbsyq.exe: UPX!
C:\WINDOWS\vobpcfq.exe: UPX!
C:\WINDOWS\vqbhwyy.exe: UPX!
C:\WINDOWS\wxsvgwm.exe: UPX!
C:\WINDOWS\xjrcqlr.exe: UPX!
C:\WINDOWS\xsrwadi.exe: UPX!
C:\WINDOWS\ywtovhs.exe: UPX!
Finished
bye
I was unable to download from Panda's. I clicked on scan computer and nothing happened.
What do you recommend to download or buy to prevent future infections???
Post by: guestolo on April 17, 2005, 12:52:10 PM
Post by: guestolo on April 17, 2005, 01:04:03 PM
Disconnect from the Net
I guess you forgot about a fresh Hijackthis log
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> Let's try the following
Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\system32\cmdteld.exe
Click the Delete File button after each
The Red circle and a white X
Keep track of any file that won't delete, we'll need those in a bit
Do the same for these paths to the file names
C:\WINDOWS\system32\dqaateqe.exe
C:\WINDOWS\system32\dqhrijko.exe
C:\WINDOWS\system32\gshtqjiq.exe
C:\WINDOWS\system32\gslnbaaa.exe
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\system32\jhjoaaaa.exe
C:\WINDOWS\system32\sgevcaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\jndaaaaa.exe
C:\WINDOWS\bfyania.exe
C:\WINDOWS\brgxteo.exe
C:\WINDOWS\cfvnpbm.exe
C:\WINDOWS\evumfmx.exe
C:\WINDOWS\gehbouq.exe
C:\WINDOWS\gvvndux.exe
C:\WINDOWS\hglwjlm.exe
C:\WINDOWS\kadxqet.exe
C:\WINDOWS\mbfrbem.exe
C:\WINDOWS\mqgtbiv.exe
C:\WINDOWS\nfxouiy.exe
C:\WINDOWS\nmboswh.exe
C:\WINDOWS\ntasjoi.exe
C:\WINDOWS\ocqwhuv.exe
C:\WINDOWS\oyglvea.exe
C:\WINDOWS\pcvdkdb.exe
C:\WINDOWS\powkaix.exe
C:\WINDOWS\qaqbnkw.exe
C:\WINDOWS\rggrhqo.exe
C:\WINDOWS\rqtymkh.exe
C:\WINDOWS\sgstvvq.exe
C:\WINDOWS\swhhnjo.exe
C:\WINDOWS\swjspmr.exe
C:\WINDOWS\swlinrb.exe
C:\WINDOWS\sys1210.exe
C:\WINDOWS\sys1214.exe
C:\WINDOWS\sys1217.exe
C:\WINDOWS\sys1222.exe
C:\WINDOWS\sys1225.exe
C:\WINDOWS\sys1227.exe
C:\WINDOWS\sys153.exe
C:\WINDOWS\sys156.exe
C:\WINDOWS\sys159.exe
C:\WINDOWS\sys281.exe
C:\WINDOWS\sys284.exe
C:\WINDOWS\sys287.exe
C:\WINDOWS\sys3059.exe
C:\WINDOWS\sys312.exe
C:\WINDOWS\sys316.exe
C:\WINDOWS\sys3419.exe
C:\WINDOWS\sys3422.exe
C:\WINDOWS\sys3425.exe
C:\WINDOWS\sys4142.exe
C:\WINDOWS\sys4147.exe
C:\WINDOWS\sys4434.exe
C:\WINDOWS\sys4440.exe
C:\WINDOWS\sys4443.exe
C:\WINDOWS\sys4655.exe
C:\WINDOWS\sys4658.exe
C:\WINDOWS\sys471.exe
C:\WINDOWS\sys5832.exe
C:\WINDOWS\sys5835.exe
C:\WINDOWS\sys5838.exe
C:\WINDOWS\sys953.exe
C:\WINDOWS\sys956.exe
C:\WINDOWS\sys958.exe
C:\WINDOWS\uccbsyq.exe
C:\WINDOWS\vobpcfq.exe
C:\WINDOWS\vqbhwyy.exe
C:\WINDOWS\wxsvgwm.exe
C:\WINDOWS\xjrcqlr.exe
C:\WINDOWS\xsrwadi.exe
C:\WINDOWS\ywtovhs.exe
For any file that won't delete
Copy and paste that entry back into Killbox
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
When you've entered the last path to the file name
Allow the computer to Reboot, or restart anyways
Back in windows
Post back a fresh Hijackthis log
Could you also run rkfiles.bat again and post a fresh log
Post by: TSD151 on April 17, 2005, 01:59:17 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:38:36 AM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cfvsxyq] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [vpyphce] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [pibibym] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xvdsglg] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ihdkupl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [ldaeqtv] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [dwhrfsx] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [qxlktlx] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [vcaasfn] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [bhjpmho] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ckivrgl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [yiscgnn] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wgssvxc] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mukoahh] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [plcqosy] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [dvcftky] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xxmqpti] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [oehdxfv] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [hxvfhqj] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [tflindc] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [sebfwiq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [jpnttlr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [luxcfaw] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xfpuvtv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lblvvlv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mqjjwoh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lmwnugq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [goirkqd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [gsohtyv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xwcgtrh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mejlbse] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [yrijkfd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [fhrjxds] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [djhtktr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mokdxje] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svfrvyr] c:\windows\gehbouq.exe
O4 - HKCU\..\Run: [xollrjm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mvguecn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yrpjbni] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfktcny] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [htakfvy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kpgisut] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svutihq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [snkjcdy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wnpdpwr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [myoibdt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mqrnnsv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kxglhda] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hrbqsbu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oqjtwpf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqnbcmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [leopyqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jjkjdep] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sojovjy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prdqrcm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dubignt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [danxaom] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wcrpdhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sjekwlt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmcpqh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kfdhrug] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nmjogou] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qmdcuhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mecbqmr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [muvnlvj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nnixohg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qlrcumg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rwoftjd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wqswesy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qtrwdod] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [atxkdqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yakgwet] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wsaqysf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gxtjify] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uigqrol] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [toamymy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jurbybk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fqptoct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kevtskf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cdwtyip] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvmjxfd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fmufxoy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hmvelmf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lcwnjia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cjdpwgo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vswdvys] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkjotms] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hdhptgj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ywlrbon] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [apmkyyc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ghtyywg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xrcfuov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bkrfeau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svnknbb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wfwpint] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjdwrrt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dxpmole] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sbjphab] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eigwyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [giilwov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrplogs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icxvffv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hicfjam] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvuwxyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [csengqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wscaygv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qarbfyv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oseiwcu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vjssffj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qvsfvhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [knnwxfw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [annyjvn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vlblehr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lywngjl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxmblpx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjxbvlg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fcklsja] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fryynds] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xnyswbv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xahrprf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [curuyrr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufcpoyw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tnevgph] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [douykld] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oeqvfmi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uoyfnrk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [refcchy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [krasyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ebcbqoe] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xgmlosi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkitghs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hhwpync] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mhybepf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wplqkvu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tgdulnt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qshxkao] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dwumttm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cedudia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdroaww] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gkyqpkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [drnbpyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggipvnl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsaryo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rctgqsb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [upahhmj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cgmfike] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kgxjbgg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uktuepl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jebtxej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ceafsrw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ixyhnrm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pjrubvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qymqodu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dahqjqf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rjwrvcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [trtbdwx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tysabyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eicyghu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yfbpsnn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ldgutgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufonnkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjpwuvp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocnksvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgjlrtq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pynmimu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rxpgqhy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jhdiwbl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eomqoid] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggdulhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sktggrv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jbtvetu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wbqetcc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjvumct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gmuanqd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [namfoqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sqgwabm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [miqgdyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ymptpwp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lvrrlui] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqppaii] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icsjwib] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wtksnlh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [viljjji] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xedegvw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vheotau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ugcbxhn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mdlbusw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xlegqly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hltpdcw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ethrpqi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tclhtea] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qppigqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [imjhbdh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [roqkmpj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jqhinbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dqwquwh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vhcsjow] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [btusyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bgbygpc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rgcgpad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pvlwdim] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prxtuqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ealltbr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ncgrdqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vymwhey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aiohvlm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [otuqfem] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfpcqvc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cqernyr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yxbqnfj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cxiqqth] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [onpfbgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tliewmk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgnpufx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lojbyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgfclrg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xwyxjop] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pbihpej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdkohar] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qjcgtqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vcllros] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bpyjppy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmgwcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pyrnqoq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vxstbxf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wblobhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [niegrjp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dvpaalu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xukornv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [humyfsa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tyytfck] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rsqasbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ksadoev] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocmwgmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oigbwer] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iyawjqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rbffgwb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjaotsl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [moskdma] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gqodvec] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrxaipd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wstkpqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vvjwunh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [olwhcuh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ltoahkv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgutotv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cltmwoc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vprsuly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bvddexc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lqxxxoh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qqgwiir] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aurucba] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [elpldad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gnmyfwt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qrcpohm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgdrebw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qpxgjyx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxauago] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsriey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wishaxy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [obgwnbd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uracljx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ogvvgla] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uywdeor] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xydvrwj] c:\windows\mbfrbem.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\sys4145.exe: UPX!
Finished
bye
Post by: guestolo on April 17, 2005, 02:05:32 PM
Save these instructions too a Notepad file and then disconnect from the Net
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm (http://\"http://w-find.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm (http://\"http://w-find.com/index.htm\")
O4 - HKCU\..\Run: [cfvsxyq] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [vpyphce] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [pibibym] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xvdsglg] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ihdkupl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [ldaeqtv] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [dwhrfsx] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [qxlktlx] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [vcaasfn] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [bhjpmho] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ckivrgl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [yiscgnn] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wgssvxc] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mukoahh] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [plcqosy] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [dvcftky] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xxmqpti] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [oehdxfv] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [hxvfhqj] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [tflindc] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [sebfwiq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [jpnttlr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [luxcfaw] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xfpuvtv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lblvvlv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mqjjwoh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lmwnugq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [goirkqd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [gsohtyv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xwcgtrh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mejlbse] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [yrijkfd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [fhrjxds] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [djhtktr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mokdxje] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svfrvyr] c:\windows\gehbouq.exe
O4 - HKCU\..\Run: [xollrjm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mvguecn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yrpjbni] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfktcny] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [htakfvy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kpgisut] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svutihq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [snkjcdy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wnpdpwr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [myoibdt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mqrnnsv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kxglhda] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hrbqsbu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oqjtwpf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqnbcmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [leopyqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jjkjdep] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sojovjy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prdqrcm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dubignt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [danxaom] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wcrpdhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sjekwlt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmcpqh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kfdhrug] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nmjogou] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qmdcuhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mecbqmr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [muvnlvj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nnixohg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qlrcumg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rwoftjd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wqswesy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qtrwdod] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [atxkdqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yakgwet] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wsaqysf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gxtjify] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uigqrol] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [toamymy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jurbybk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fqptoct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kevtskf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cdwtyip] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvmjxfd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fmufxoy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hmvelmf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lcwnjia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cjdpwgo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vswdvys] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkjotms] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hdhptgj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ywlrbon] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [apmkyyc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ghtyywg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xrcfuov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bkrfeau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svnknbb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wfwpint] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjdwrrt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dxpmole] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sbjphab] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eigwyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [giilwov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrplogs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icxvffv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hicfjam] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvuwxyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [csengqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wscaygv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qarbfyv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oseiwcu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vjssffj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qvsfvhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [knnwxfw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [annyjvn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vlblehr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lywngjl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxmblpx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjxbvlg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fcklsja] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fryynds] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xnyswbv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xahrprf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [curuyrr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufcpoyw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tnevgph] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [douykld] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oeqvfmi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uoyfnrk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [refcchy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [krasyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ebcbqoe] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xgmlosi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkitghs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hhwpync] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mhybepf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wplqkvu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tgdulnt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qshxkao] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dwumttm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cedudia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdroaww] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gkyqpkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [drnbpyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggipvnl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsaryo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rctgqsb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [upahhmj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cgmfike] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kgxjbgg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uktuepl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jebtxej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ceafsrw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ixyhnrm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pjrubvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qymqodu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dahqjqf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rjwrvcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [trtbdwx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tysabyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eicyghu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yfbpsnn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ldgutgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufonnkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjpwuvp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocnksvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgjlrtq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pynmimu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rxpgqhy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jhdiwbl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eomqoid] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggdulhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sktggrv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jbtvetu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wbqetcc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjvumct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gmuanqd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [namfoqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sqgwabm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [miqgdyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ymptpwp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lvrrlui] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqppaii] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icsjwib] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wtksnlh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [viljjji] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xedegvw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vheotau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ugcbxhn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mdlbusw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xlegqly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hltpdcw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ethrpqi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tclhtea] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qppigqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [imjhbdh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [roqkmpj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jqhinbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dqwquwh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vhcsjow] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [btusyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bgbygpc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rgcgpad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pvlwdim] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prxtuqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ealltbr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ncgrdqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vymwhey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aiohvlm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [otuqfem] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfpcqvc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cqernyr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yxbqnfj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cxiqqth] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [onpfbgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tliewmk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgnpufx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lojbyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgfclrg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xwyxjop] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pbihpej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdkohar] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qjcgtqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vcllros] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bpyjppy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmgwcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pyrnqoq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vxstbxf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wblobhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [niegrjp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dvpaalu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xukornv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [humyfsa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tyytfck] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rsqasbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ksadoev] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocmwgmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oigbwer] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iyawjqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rbffgwb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjaotsl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [moskdma] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gqodvec] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrxaipd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wstkpqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vvjwunh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [olwhcuh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ltoahkv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgutotv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cltmwoc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vprsuly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bvddexc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lqxxxoh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qqgwiir] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aurucba] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [elpldad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gnmyfwt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qrcpohm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgdrebw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qpxgjyx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxauago] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsriey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wishaxy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [obgwnbd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uracljx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ogvvgla] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uywdeor] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xydvrwj] c:\windows\mbfrbem.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\sys4145.exe
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
Then allow the computer to Reboot
Back in Windows
Supply a fresh Hijackthis log and one more log from Rkfiles.bat
Post by: TSD151 on April 17, 2005, 03:06:39 PM
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
Logfile of HijackThis v1.99.1
Scan saved at 1:05:07 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 17, 2005, 03:16:23 PM
Can you look for this file and delete it if found, let me know if you can find it
C:\wp.bmp <-file
Could you also download and UNZIP to a folder
Find.zip
So you now have Find.bat in the same folder
[attachment=152:attachment]
Double click on Find.bat and copy and paste back the contents
Post by: TSD151 on April 17, 2005, 03:27:46 PM
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
Post by: guestolo on April 17, 2005, 04:17:35 PM
Because all users are set up different
We can probably remove the whole System key, but
Can you try the following
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000Double click on fix.reg and allow to merge to the registry
Restart your computer
Let me know if you can now do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked
Can you also let me know if you can now download Ad-Aware SE
See if you can download it from here
http://www.tucows.com/preview/236049.html (http://\"http://www.tucows.com/preview/236049.html\")
Could you also open Hijackthis>>Open Misc tools section>>Open Host file manager
Click the "Open in Notepad"
Copy and paste back the whole text file that opens
Post by: TSD151 on April 18, 2005, 05:21:16 AM
Ad-Aware SE Build 1.05
Logfile Created on:Monday, April 18, 2005 3:04:33 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R39 15.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):11 total references
AltnetBDE(TAC index:4):47 total references
Malware.TopAntiSpyware(TAC index:7):20 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
Security iGuard(TAC index:9):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
4/18/2005 3:04:33 AM - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 416
ThreadCreationTime : 4/18/2005 9:56:23 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 4/18/2005 9:56:26 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 740
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 924
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1024
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1180
ThreadCreationTime : 4/18/2005 9:56:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1212
ThreadCreationTime : 4/18/2005 9:56:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1352
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe
#:11 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1364
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 5.4.4.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe
#:12 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1392
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe
#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1632
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 308
ThreadCreationTime : 4/18/2005 9:57:19 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:15 [hpztsb05.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 560
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 2,126,0,0
ProductVersion : 2,126,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002
#:16 [hphmon04.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 568
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 4,0,34
ProductVersion : 4,0,34
ProductName : hp photosmart
CompanyName : Hewlett-Packard
FileDescription : HPHmon04
InternalName : HPHmon04
LegalCopyright : Copyright © 2001
OriginalFilename : HPHmon04.exe
#:17 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 584
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 2,3,0,0\Â 161
ProductVersion : 2,3,0,0\Â 161
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe
#:18 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 620
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe
#:19 [motivesb.exe]
FilePath : C:\PROGRA~1\SBCSEL~1\SMARTB~1\
ProcessID : 652
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000
ProductVersion : 5.6.7.asst_classic.smartbridge
ProductName : Motive System
CompanyName : Motive Communications, Inc.
FileDescription : SBC Self Support Tool Alerts
InternalName : version
LegalCopyright : Copyright 1998-2003
OriginalFilename : version
#:20 [deletesatellite.exe]
FilePath : C:\Program Files\GhostSurf 2005\
ProcessID : 952
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : GhostSurf
CompanyName : Tenebril Incorporated
FileDescription : GhostSurf satellite deletion tool
InternalName : DeleteSatellite
LegalCopyright : Copyright © 2004 Tenebril Inc.
OriginalFilename : DeleteSatellite.exe
Comments : This tool deletes files the user wishes to delete when they become unprotected at restart
#:21 [opware32.exe]
FilePath : C:\Program Files\ScanSoft\OmniPageSE\
ProcessID : 1000
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 11.0
ProductVersion : 11.0
ProductName : OmniPage SE
CompanyName : ScanSoft, Inc
FileDescription : OCR Aware (32-bit)
InternalName : Opware32.exe
LegalCopyright : Copyright © 1995-2000 ScanSoft, Inc
OriginalFilename : Opware32.exe
#:22 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1044
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe
#:23 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 1076
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe
#:24 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1124
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
#:25 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 1220
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 4.7.0041
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe
#:26 [proxy.exe]
FilePath : C:\Program Files\GhostSurf 2005\
ProcessID : 796
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 0.10
ProductVersion : 3.00
ProductName : GhostSurf
CompanyName : Tenebril Incorporated
FileDescription : GhostSurf proxy
InternalName : VehicleApp
LegalCopyright : Copyright © 2001 - 2004 Tenebril Inc
OriginalFilename : VehicleApp.exe
Comments : GhostSurf proxy
#:27 [scheduler daemon.exe]
FilePath : C:\Program Files\GhostSurf 2005\
ProcessID : 1316
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 0.10
ProductVersion : 3.00
ProductName : GhostSurf
CompanyName : Tenebril Incorporated
FileDescription : Scheduler daemon
InternalName : VehicleApp
LegalCopyright : Copyright © 2001 - 2004 Tenebril Inc
OriginalFilename : VehicleApp.exe
Comments : Scheduler daemon
#:28 [hpgs2wnf.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 1464
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 2, 6, 0, 161
ProductVersion : 2, 6, 0, 161
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE
#:29 [mpbtn.exe]
FilePath : C:\Program Files\SBC Self Support Tool\bin\
ProcessID : 1616
ThreadCreationTime : 4/18/2005 9:57:22 AM
BasePriority : Normal
#:30 [ymsgr_tray.exe]
FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\
ProcessID : 1144
ThreadCreationTime : 4/18/2005 9:57:23 AM
BasePriority : Normal
#:31 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2812
ThreadCreationTime : 4/18/2005 9:57:38 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe
#:32 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2848
ThreadCreationTime : 4/18/2005 9:57:38 AM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:33 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3064
ThreadCreationTime : 4/18/2005 9:57:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:34 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 3084
ThreadCreationTime : 4/18/2005 9:57:41 AM
BasePriority : Normal
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe
#:35 [hphipm11.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3412
ThreadCreationTime : 4/18/2005 9:57:52 AM
BasePriority : Normal
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe
#:36 [ybrowser.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ProcessID : 2408
ThreadCreationTime : 4/18/2005 9:58:47 AM
BasePriority : Normal
FileVersion : 2002, 9, 13, 2
ProductVersion : 1, 0, 5, 1
ProductName : Yahoo! Browser
CompanyName : Yahoo!, Inc.
FileDescription : Yahoo! Browser
InternalName : YBrowser
LegalCopyright : Copyright © 2002 Yahoo! Inc.
OriginalFilename : YBrowser.EXE
#:37 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 3808
ThreadCreationTime : 4/18/2005 10:04:23 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
#:38 [hh.exe]
FilePath : C:\WINDOWS\
ProcessID : 3020
ThreadCreationTime : 4/18/2005 10:04:23 AM
BasePriority : Normal
FileVersion : 5.2.3644.0
ProductVersion : 5.2.3644.0
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.4
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{8b0fef15-54dc-49f5-8377-8172de975f75}
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{8b0fef15-54dc-49f5-8377-8172de975f75}
Value :
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm.1
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm.1
Value :
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm
Value :
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\typelib\{5830698f-7fc0-40cd-a453-9a0cafdf3a64}
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe
Value : AppID
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
Value :
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe
Value : AppID
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\altnetdm
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\altnetdm
Value : DisplayName
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\altnetdm
Value : UnInstallString
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}
Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-746137067-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 27
Objects found so far: 27
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : srpcsrv32.dll
Category : Malware
Comment :
Object : C:\!Submit\
AltnetBDE Object Recognized!
Type : File
Data : ppq2F.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Uninstaller
CompanyName : Altnet, Inc.
FileDescription : Uninstaller
InternalName : AltnetUninstall.exe
LegalCopyright : Copyright © 2003,2004
OriginalFilename : AltnetUninstall.exe
AltnetBDE Object Recognized!
Type : File
Data : ppq30.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE
AltnetBDE Object Recognized!
Type : File
Data : ppq31.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 0
ProductName : BDE asmend
CompanyName : BDE
FileDescription : asmend
InternalName : KillASM
LegalCopyright : Copyright © 2003
OriginalFilename : asmend
AltnetBDE Object Recognized!
Type : File
Data : ppq32.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL
AltnetBDE Object Recognized!
Type : File
Data : ppq33.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. © 2002,2003
AltnetBDE Object Recognized!
Type : File
Data : adm4005.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
FileVersion : 4, 0, 0, 5
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003, 2004 Altnet
OriginalFilename : ADM.exe
AltnetBDE Object Recognized!
Type : File
Data : asm.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE
AltnetBDE Object Recognized!
Type : File
Data : asmps.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL
AltnetBDE Object Recognized!
Type : File
Data : dminstall7.cab
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
AltnetBDE Object Recognized!
Type : File
Data : Points Manager.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. © 2002,2003
AltnetBDE Object Recognized!
Type : File
Data : settings.cab
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\
AltnetBDE Object Recognized!
Type : File
Data : setup.cab
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\
AltnetBDE Object Recognized!
Type : File
Data : sysdetect.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
ProductName : Brilliant bdedetect
CompanyName : Brilliant
FileDescription : bdedetect
InternalName : bdedetect
LegalCopyright : Copyright © 2000
OriginalFilename : bdedetect.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003833.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 2, 4, 3
ProductVersion : 1, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright 2002
OriginalFilename : ADM25.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003834.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 4, 0, 0, 6
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADM4.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003835.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 1, 10
ProductVersion : 1, 0, 0, 0
ProductName : ADMData
CompanyName : Altnet
FileDescription : ADMData
InternalName : ADMData
LegalCopyright : Copyright 1999
OriginalFilename : ADMData.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003836.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 3, 0, 39, 2
ProductVersion : 3, 0, 0, 0
ProductName : ADMDloader
CompanyName : Altnet
FileDescription : BDEDownloader
InternalName : ADMDloader
LegalCopyright : Copyright © 2001 Altnet
OriginalFilename : ADMDloader.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003837.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 0
ProductName : ADMFdi
CompanyName : Altnet
FileDescription : ADMFdi
InternalName : ADMFdi
LegalCopyright : Copyright © 2000
OriginalFilename : ADMFdi
AltnetBDE Object Recognized!
Type : File
Data : A0003838.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 4, 0, 0, 4
ProductVersion : 4, 0, 0, 0
ProductName : ADMProg
CompanyName : Altnet
InternalName : ADMProg
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADMProg.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003839.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Uninstaller
CompanyName : Altnet, Inc.
FileDescription : Uninstaller
InternalName : AltnetUninstall.exe
LegalCopyright : Copyright © 2003,2004
OriginalFilename : AltnetUninstall.exe
AltnetBDE Object Recognized!
Type : File
Data : A0003840.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 0
ProductName : BDE asmend
CompanyName : BDE
FileDescription : asmend
InternalName : KillASM
LegalCopyright : Copyright © 2003
OriginalFilename : asmend
AltnetBDE Object Recognized!
Type : File
Data : A0003841.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 4, 0, 0, 5
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003, 2004 Altnet
OriginalFilename : ADM.exe
AltnetBDE Object Recognized!
Type : File
Data : A0003843.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
ProductName : Brilliant bdedetect
CompanyName : Brilliant
FileDescription : bdedetect
InternalName : bdedetect
LegalCopyright : Copyright © 2000
OriginalFilename : bdedetect.dll
AltnetBDE Object Recognized!
Type : File
Data : A0003875.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP36\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE
AltnetBDE Object Recognized!
Type : File
Data : A0003876.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP36\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL
AltnetBDE Object Recognized!
Type : File
Data : A0003877.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP36\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. © 2002,2003
Security iGuard Object Recognized!
Type : File
Data : A0008441.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP63\
FileVersion : 1,0,0,53
ProductVersion : 1,0,0,53
ProductName : Security iGuard Application
CompanyName : Rex-Services
FileDescription : Security iGuard
InternalName : Security iGuard
LegalCopyright : Copyright © 2004 Rex-Services All rights reserved
OriginalFilename : Security iGuard.exe
Security iGuard Object Recognized!
Type : File
Data : A0008443.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP63\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013662.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP69\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013684.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013686.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013687.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013689.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013690.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013692.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013693.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013695.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013696.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013698.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013699.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013701.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013702.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013704.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013705.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013707.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0016843.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP72\
Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0020924.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP74\
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 75
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 75
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : GetThis4Free (Adult only).url
Category : Misc
Comment : Problematic URL discovered: http://getthis4free.com/ (http://\"http://getthis4free.com/\")
Object : C:\Documents and Settings\T & A\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : GET THIS 4 FREE.url
Category : Misc
Comment : Problematic URL discovered: http://getthis4free.com/ (http://\"http://getthis4free.com/\")
Object : C:\Documents and Settings\T & A\Favorites\
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule.1
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule.1
Value :
AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule
AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule
Value :
AltnetBDE Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\DOCUME~1\T&A~1\LOCALS~1\Temp\ADMCache
Security iGuard Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\T & A\Application Data\Rex-Services
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 83
3:11:01 AM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:27.812
Objects scanned:114046
Objects identified:83
Objects ignored:0
New critical objects:83
Here is the stuff you wanted from Hijack, misc tools:
127.0.0.1 localhost
Not sure if you wanted another Hijack log, but here it is in case you do need it:
Logfile of HijackThis v1.99.1
Scan saved at 3:19:34 AM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
Post by: guestolo on April 18, 2005, 09:07:51 AM
This value in the registry I believe controls the web content
"NoActiveDesktopChanges"=dword:00000001
Allowing or disallowing web content to be used for background
We can deal with it later
Thanks for the log from Ad-Aware, it appears that you may of just ran the scan before posting back
Can I get you too restart your computer and post just a fresh Hijackthis log,
Just a double check to ensure your log is still clean
Post by: TSD151 on April 18, 2005, 12:26:12 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:23:48 AM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: TSD151 on April 18, 2005, 05:06:32 PM
I am experiencing some new things...I get these grey windows messenger windows from time to time that say something like "your system is infected...blah blah blah, click here to download the latest patch.
Also, if I leave my computer on for any length of time, when I return I have about 30 - 40 open dial-up connection windows sitting on my desktop. I'm not sure if any of this is related to the problem you've been helping me with, but it is a pain in the you know what.
I ran spybot just to see what it would produce and it found www.coolwebsearch... I hit fix and rebooted???
Post by: guestolo on April 18, 2005, 10:56:18 PM
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Messenger
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for Alerter
Next:
Download and UNZIP to desktop
fixit.bat
So you now have fixit.reg on your deskop
[attachment=153:attachment]
From my signature below, download and save to desktop CWShredder.exe
With all other windows closed
Double click on fixit.reg and allow to merge to the registry
Next: Open CWShredder and click the FIX button, let it fix whatever it finds
Restart your computer
Back in Windows
Could you
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your reply
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
After posting back the Mwav scan could you also post a fresh Hijackthis log
Also let me know if you can now select the Web tab
Post by: TSD151 on April 19, 2005, 11:04:53 AM
220-
220-Welcome to microworldsystems.com!
220-
220 microworldsystems.com FTP server (Version wu-2.6.2(11) Fri Nov 30 21:07:48 PST 2001) ready.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
I am able to see the web tab in display properties, however, there is nothing listed there.
Here is my latest Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:46 AM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 19, 2005, 11:24:39 PM
http://www.mwti.net/antivirus/mwav.asp (http://\"http://www.mwti.net/antivirus/mwav.asp\")
Also, just for a check, can you do the following I asked previously
Quote
Could you also open Hijackthis>>Open Misc tools section>>Open Host file manager
Click the "Open in Notepad"
Copy and paste back the whole text file that opens
Remember to post back the findings in the lower pane of eScan's mwav log
Post by: TSD151 on April 20, 2005, 10:54:22 AM
127.0.0.1 localhost
I was able to download Mwav and here is what it found:
File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\kbdbgent.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nvwrrace.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
Post by: TSD151 on April 20, 2005, 02:22:33 PM
I enabled Norton Anti-Virus today and just got a virus alert that says:
High risk
Object Name: c:\!Submit\sys1227.exe
Virus Name: Trojan Horse
I try to click the OK button on the little alert window and it wont go away, every time I click it changes the number i.e. 1127, 1217 etc.
How do I get rid of that window? It just stays there no matter what other program I bring up.
Post by: guestolo on April 20, 2005, 06:54:54 PM
I'm not sure what you are posting here
Quote
This is the only thing that listed when I opened Hijack>>Open Misc. tools>>Open Host file Manager and then clicked Open in Notepad:
127.0.0.1 localhost
That's all you see?
Are you sure it doesn't look like the below in code
Code: [Select]
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhostIf it looks like the above let me know
Print this out please
You also seem to be infected with Backdoor.Fivsec
Can you also print out the recommendations to modify in the registry recommended by Symantec's
If your unsure about editing the registry, or not comfortable with it, let me know and we'll try alternate methods
Here's the link to Symantec's (http://\"http://securityresponse.symantec.com/avcenter/venc/data/backdoor.fivsec.html\")
Try the following, disable Norton's autoprotect temporarily if it is still prompting you and getting in the way
Disconnect from the Internet
Run Windows CleanUp!, but don't log off after it's done
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Post back a fresh Hijackthis log
C:\WINDOWS\System32\thun32.dll
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Do the same for these paths to the file names
C:\WINDOWS\System32\thun.dll
C:\WINDOWS\System32\kbdbgent.dll
C:\WINDOWS\System32\nvwrrace.dll
Allow the computer to Reboot after you have entered the last path to the file name
Back in Windows
Go ahead and delete this folder
c:\!Submit <-this folder
Post back a fresh Hijackthis log afterwards
Post by: Guest on April 21, 2005, 01:23:36 PM
Sorry I didn't respond yesterday, I was very busy. I wasn't quite sure what you wanted me to do once I got to the Symantec link...you said to print the recommendations, which I did. I didn't know if you wanted me to also carry out the instructions for "Removal". I skipped that until I hear back from you.
As far as the Host file manager in Hijack...that is all I see when I perform the function. I don't see any of the stuff you listed in your last post.
I ran cleanup and then killbox and killed the files you listed. Then I deleted the folder !Submit.
Thought I should mention, when I went ino C: to delete !submit, I accidentally went in to the windows folder and noticed three folders that looked weird??:
$hf_mig$
$NtuninstallKB822603$
$uninstallKB842773$
Just thought they looked out of place and I should tell you.
Latest Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 11:10:39 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: TSD151 on April 21, 2005, 01:25:17 PM
Post by: guestolo on April 21, 2005, 11:38:27 PM
Download Hoster from This link (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=139\")
Unzip The contents to a folder
Open the folder and open HOSTER and click the
Restore Original Hosts
The file you see now that you normally don't see are Hidden files
You can go back and hide hidden files and folders
Those are legit files you are seeing
What concerns me is the cleansing of the registry from Symantec's
Delete the keys or values in the registry, if your not comfortable with it let me know
Post back a fresh hijackthis log afterwards, by the way, your last log looks good
We just need to do some final cleanup steps
Post by: TSD151 on April 22, 2005, 11:21:06 AM
I'm not sure which steps to follow in that link to Symantec. Here is my last HJ log:
Logfile of HijackThis v1.99.1
Scan saved at 9:19:32 AM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 23, 2005, 02:15:55 PM
Find.bat will now be on your desktop
Double click on Find.bat and a text file will open, can you copy and paste the contents back here, thanks
Post by: TSD151 on April 23, 2005, 04:54:57 PM
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
Post by: guestolo on April 23, 2005, 05:11:20 PM
that you downloaded before and then redownload it from my last response to you
Unzip find.zip and double click on find.bat and post the contents
Post by: TSD151 on April 23, 2005, 08:34:59 PM
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
Post by: guestolo on April 23, 2005, 11:57:54 PM
So you now have fivsec.reg on your desktop
[attachment=163:attachment]
Double click on and merge fivsec.reg
Afterwards, can I have you try the following
Go to START>>RUN>>Type in regedt32
Hit OK
Navigate to this key in bold
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
You can do that by doing the following
Expand (+) the below
+HKEY_LOCAL_MACHINE
+SOFTWARE
+Policies
+Microsoft
+Windows
If found
Left click and Highlight WindowsUpdate
Then right click on it and EXPORT the key
Name it and save to a folder such as MyDocuments
Exit the Registry Editor
Navigate to the location you saved the exported registry file
Right click on the file and choose EDIT
Copy and paste back the findings
Post by: TSD151 on April 25, 2005, 12:28:23 AM
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000001
Post by: guestolo on April 25, 2005, 12:50:42 AM
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-Double click on fix.reg and allow to merge to the registry
That should do all the reg fixes
You appear to be using Norton's firewall and not XP's
So you won't need to reenable XP's firewall as mentioned by Symantec
if the above is true, not a good idea running more than one firewall on your system
But use that link to reset your security settings in Internet Explorer and other recommendations
here is the link again
http://securityresponse.symantec.com/avcen...oor.fivsec.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/backdoor.fivsec.html\")
Restart your computer afterwards
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Could you post back one last hijackthis log afterwards, just to make sure it's still clean
Post by: TSD151 on April 25, 2005, 11:33:41 AM
You are simply amazing. I want to thank you very much for helping me through this. I will now donate to your cause, keep up the fight. Here is my last hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:30:15 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10 (http://\"http://isp.member.yahoo.com/regisp/p/dlk/sbc/antispy/checkforupdates?.v=1.10\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on April 27, 2005, 12:50:03 PM
Can you do me a favor
look for these files and let me know if they exist, some we got rid of already
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
Could you also let me know if you see any of these folders
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard