Author Topic: highjack this (Read 4869 times)

J · « **on:** December 01, 2004, 08:28:34 PM »

after reading what you guys have said about highjack this i downloaded it and i got some of the stuff off my computer but i think there is still more can you help?

heres the list

Logfile of HijackThis v1.97.7
Scan saved at 8:37:37 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\befsxxg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\CSBB\CSV7P91.exe
C:\WINDOWS\security\logs\mfcun.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\WINDOWS\inf\dbtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\My Room\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=138770
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=138770
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=138770
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.ca/
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [zbrcedekrp] C:\WINDOWS\System32\befsxxg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\Run: [*eulabin] C:\WINDOWS\Help\eulabin.exe
O4 - HKLM\..\Run: [*mfcun] C:\WINDOWS\security\logs\mfcun.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MYROOM~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\inf\dbtask.exe ren time:1101665933
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CD...TInc/bridge.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.10 216.168.96.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.10 216.168.96.13

guestolo · « **Reply #1 on:** December 01, 2004, 08:39:58 PM »

Hi J, you have a few infections,
Could you first download and save to desktop
CWShredder

Close out all windows including this one
Double click the CWInstall
In the Next window click the FIX button and let it scan and fix all problems
RESTART your computer to finish the cleaning
this should help remove The Coolweb infection

You have other problems, but first
Could you update your version of Hijackthis
and don't save it to the desktop
Make a permanent folder for Hijackthis 1.98.2

EG...
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder
Delete the one on the desktop

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

Jenny · « **Reply #2 on:** December 01, 2004, 08:48:44 PM »

umm what does the program do you told me to download

guestolo · « **Reply #3 on:** December 01, 2004, 08:51:32 PM »

It searches for CoolWeb Infection
Could you double click to run it and hit the FIX button
Let it fix any problems and RESTART your computer

Post back with a fresh updated hijackthis log

Jenny · « **Reply #4 on:** December 01, 2004, 08:57:25 PM »

thanks for your help i will post my new log file as soon as i finish doing it

Jenny · « **Reply #5 on:** December 01, 2004, 09:15:56 PM »

Logfile of HijackThis v1.97.7
Scan saved at 9:25:34 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\befsxxg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\CSBB\CSV7P91.exe
C:\WINDOWS\security\logs\mfcun.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\AppPatch\utilreg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\My Room\My Documents\highjack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.ca/
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: (no name) - {4A67CB5C-DF4D-EFE7-6B83-2E248FCD9C3D} - C:\WINDOWS\System32\rn5a3y60.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [zbrcedekrp] C:\WINDOWS\System32\befsxxg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\Run: [*eulabin] C:\WINDOWS\Help\eulabin.exe
O4 - HKLM\..\Run: [*mfcun] C:\WINDOWS\security\logs\mfcun.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MYROOM~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\AppPatch\utilreg.exe ren time:1101665933
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CD...TInc/bridge.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.10 216.168.96.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.10 216.168.96.13

heres my new log

guestolo · « **Reply #6 on:** December 01, 2004, 09:20:02 PM »

Hi again Jenny, can you update your version of Hijackthis please
The latest version is 1.98.2

Open Hijackthis>>Config>>Misc Tools>>>Check for Updates Online

I see you have Hijackthis in a permanent folder, good move
We seemed to have cleared the Coolweb infection, let's make sure we're seeing everything by updating your log

After you update post back with a Fresh hijackthis log

Jenny · « **Reply #7 on:** December 01, 2004, 09:20:33 PM »

where can i go to get the updated versions?

guestolo · « **Reply #8 on:** December 01, 2004, 09:23:34 PM »

Try this Jenny
Open Hijackthis>>Config>>Misc Tools>>>Check for Updates Online

If it won't update, I gave you a couple direct download links in my first reply to you

Jenny · « **Reply #9 on:** December 01, 2004, 09:31:39 PM »

Logfile of HijackThis v1.98.2
Scan saved at 9:40:29 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\befsxxg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\CSBB\CSV7P91.exe
C:\WINDOWS\security\logs\mfcun.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\AppPatch\utilreg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\My Room\My Documents\highjack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.ca/
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: rn5a3y60 - {4A67CB5C-DF4D-EFE7-6B83-2E248FCD9C3D} - C:\WINDOWS\System32\rn5a3y60.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [zbrcedekrp] C:\WINDOWS\System32\befsxxg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\Run: [*eulabin] C:\WINDOWS\Help\eulabin.exe
O4 - HKLM\..\Run: [*mfcun] C:\WINDOWS\security\logs\mfcun.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MYROOM~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\AppPatch\utilreg.exe ren time:1101665933
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CD...TInc/bridge.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.10 216.168.96.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.10 216.168.96.13

here is the new log from the updated version of highjack this

guestolo · « **Reply #10 on:** December 01, 2004, 09:40:51 PM »

Hi Jenny, I'll be posting a fix shortly
I'll edit this reply when I'm ready
This will clear out a lot of problems

Good Work Jenny
Let's get some tools to help cleanup your log
Please download these 2 free Spyware Removers
They're both yours to keep for free and run scans with every couple of weeks

First, would you please Download and Install
the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
Please don't run Ad-Aware 6 if you have it
After installation-CHECK FOR UPDATES
Allow to download updates
Don't run this yet, but make sure you check for updates right now!

After you have that downloaded
Could you next download and install
Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Check and download All updates
Again, don't run this yet, but update it for now!

You may want to print this out, for easy reference
Or copy and paste this to a notepad file on your desktop
I need you to Start in safe mode Jenny
It's very simple, ensure you know how to from this link supplied from Symantec
Don't start in safe mode yet, I'll indicated when
Here's a link that will explain how to start in Safe mode
SAFE MODE

But first

Do another scan with Hijackthis and put a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: rn5a3y60 - {4A67CB5C-DF4D-EFE7-6B83-2E248FCD9C3D} - C:\WINDOWS\System32\rn5a3y60.dll

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [zbrcedekrp] C:\WINDOWS\System32\befsxxg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\Run: [*eulabin] C:\WINDOWS\Help\eulabin.exe
O4 - HKLM\..\Run: [*mfcun] C:\WINDOWS\security\logs\mfcun.exe

O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\AppPatch\utilreg.exe ren time:1101665933

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CD...TInc/bridge.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab

After you have ticked the above entries, close down All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

Restart your computer into Safe mode

Access your Add/Remove Programs and remove if found
IstBar
WindowsSA
TV Media
BullsEye Network

Don't restart--Stay in safe mode
Set Windows to Show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete these files or folders if they exist--They are in bold
Remove what you can

FILES
C:\Windows\System32\wsaupdater.exe <--file
C:\WINDOWS\System32\rn5a3y60.dll
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\befsxxg.exe
C:\WINDOWS\Help\eulabin.exe
C:\WINDOWS\security\logs\mfcun.exe
C:\WINDOWS\AppPatch\utilreg.exe

FOLDERS
C:\Program Files\Common files\updater <--folder
C:\Program Files\WindowsSA
C:\Program Files\BullsEye Network
C:\Program Files\ISTsvc
C:\Program Files\TV Media
C:\Program Files\CSBB

After you removed what you can
Open Ad-Aware SE Personal 1.05--Make sure it's this version and you updated earlier

Perform a Full System Scan
When the Scan is complete
Right click on the screen and choose the "Select All Objects" option or individually put a checkmark in each objects checkbox
click on the "Next" button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back into Normal mode

Open Spybot --- Make sure you have Searched for Updates
Do a Scan---Click the Check For Problems
When the scan is complete
Fix ALL entries in RED
RESTART your computer again to finish the cleaning

Post back with a fresh hijackthis log afterwards

Some entries will return
You have Virtumundo infection
We will have to deal with it later, but the above should clean quite a bit

Jenny · « **Reply #11 on:** December 01, 2004, 09:42:31 PM »

thank you for your help so far i probabuly wont get a chance to read this again so ill get it tommorow

guestolo · « **Reply #12 on:** December 01, 2004, 10:10:58 PM »

That's Okay Jenny, post back when you can, but don't wait too long(I'm talking about days)

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> or sometimes this can cause reinfections

You may want to also do an Online Virus scan at
Housecall's---Set to Autoclean
http://housecall.trendmicro.com/

and/or Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

Let me know how everythings running after
As mentioned, we will still have to rid you of at least one infection
Symantec's has a removal tool that works most times
We will try this after you get the fixes in my last reply

Jenny · « **Reply #13 on:** December 02, 2004, 06:48:40 PM »

hey i gotspy bot downloaded and updated i also did the thing in high jack this you told me to do but it will not allow me to download the ad-aware it says it cannot find the server

guestolo · « **Reply #14 on:** December 02, 2004, 07:04:21 PM »

That's okay Jenny, try one of the links here to install Ad-Aware
http://www.lavasoftusa.com/support/download/
Run as suggested above--Remember to Check for Updates after you install it
I would do an Online Virus scan also

Post back a fresh hijackthis log afterwards so I can see what else needs to be done
Let me know of any problems

Jenny · « **Reply #15 on:** December 02, 2004, 07:22:07 PM »

do i have to be in safe mode when i run ad ware

guestolo · « **Reply #16 on:** December 02, 2004, 07:25:11 PM »

Nope, but after you update, could you close down all browser windows to run it
Remember to Perform a Full System Scan--Restart your computer after you remove all Criticals
If it has problems finishing the scan then start in safe mode

I'll check back later to see how you made out

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Jenny · « **Reply #17 on:** December 02, 2004, 07:32:17 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> it wont let me dellte the tv media folder it says its in use

guestolo · « **Reply #18 on:** December 02, 2004, 07:42:26 PM »

That's why it's best to start in safe mode
That link to show you How to start in safe mode gives detailed instructions

You should learn how to do this anyways

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Do what you can from the instructions I supplied and then post back a fresh hijackthis log

Jenny · « **Reply #19 on:** December 02, 2004, 07:56:55 PM »

i was in safe mode i followed all your of your instructions on how to do it as well even in safe mode it said the it couldnt delete it becaus it was running

News:

Author Topic: highjack this (Read 4869 times)

J