Author Topic: need websiteviewer help (Read 5247 times)

JenE · « **on:** March 20, 2005, 06:16:37 PM »

I am in need of help getting rid of the websiteviewer hell that has taken over my computer.

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:10:13 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\otqycg.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\windows\system32\calc.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hotbar\Bin\4.6.1.0\HbSrv.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O1 - Hosts: 69.50.177.254 google.com www.google.com www.gooogle.com gooogle.com
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xjvptjep] C:\WINDOWS\System32\xjqenvvm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [otqycg] c:\windows\system32\otqycg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {01A82FAC-D9A9-67EC-665F-1BE95CF7A0C9} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0CE55843-1693-18B0-FD3C-155074C95B5B} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0F5B4505-6EE1-337D-704D-5210605C52D0} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {12AB6DBE-AB24-6826-3A1B-0E6D6B0DF0D8} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O16 - DPF: {15CDE707-80DF-1958-3278-03124A6A2FA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {1EC74EF1-5B81-1164-2366-62A64BE55D70} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {204B087A-8B03-2C28-2771-7851032A33FC} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {24692DC5-C9C2-55D2-8FA8-79A9392220ED} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {29D26379-39E8-047E-47B7-7FF152623A35} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {34143973-F098-4E74-1B19-67ED55D94750} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3AE77F61-7AEA-1E42-F679-27167190FE48} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {3D955CBE-54BF-243D-2CB4-72FC18CC22AD} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {486BE088-351A-790B-0645-092E119B3BA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {4A8213BA-6633-1E19-06E0-03D004676AF9} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {54D8FD11-D73A-7797-8270-43880A70C3C5} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {5748C11E-2386-6861-1E72-3BF06C4AB3EB} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A02DFE7-0EB8-60D1-0CE9-468915A6D088} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {6BAE1971-AD64-3D73-FE2A-78C732799C6E} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {6F7E4B61-54D2-1FB5-F1A2-3A331E147E3E} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

This is the first time I have ever used hijack this...please be gentle with me.

Jen

guestolo · « **Reply #1 on:** March 20, 2005, 06:24:02 PM »

Hi Jen, can you please first Register and then post a fresh hijackthis log
will try and look at your log at first chance, thanks

JenE · « **Reply #2 on:** March 20, 2005, 06:32:09 PM »

OK..I'm all registered. DO you want me to put the new log in a new post...or just post it here?

Jen

JenE · « **Reply #3 on:** March 20, 2005, 06:39:40 PM »

Ok...I'm going to go ahead and post my fresh log here. I guess you will let me know if I need to do something different.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 3:29:20 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\otqycg.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\windows\system32\calc.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hotbar\Bin\4.6.1.0\HbSrv.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O1 - Hosts: 69.50.177.254 google.com www.google.com www.gooogle.com gooogle.com
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xjvptjep] C:\WINDOWS\System32\xjqenvvm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [otqycg] c:\windows\system32\otqycg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {01A82FAC-D9A9-67EC-665F-1BE95CF7A0C9} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0CE55843-1693-18B0-FD3C-155074C95B5B} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0F5B4505-6EE1-337D-704D-5210605C52D0} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {12AB6DBE-AB24-6826-3A1B-0E6D6B0DF0D8} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O16 - DPF: {15CDE707-80DF-1958-3278-03124A6A2FA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {1EC74EF1-5B81-1164-2366-62A64BE55D70} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {204B087A-8B03-2C28-2771-7851032A33FC} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {24692DC5-C9C2-55D2-8FA8-79A9392220ED} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {29D26379-39E8-047E-47B7-7FF152623A35} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {34143973-F098-4E74-1B19-67ED55D94750} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3AE77F61-7AEA-1E42-F679-27167190FE48} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {3D955CBE-54BF-243D-2CB4-72FC18CC22AD} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {486BE088-351A-790B-0645-092E119B3BA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {4A8213BA-6633-1E19-06E0-03D004676AF9} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {54D8FD11-D73A-7797-8270-43880A70C3C5} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {5748C11E-2386-6861-1E72-3BF06C4AB3EB} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A02DFE7-0EB8-60D1-0CE9-468915A6D088} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {6BAE1971-AD64-3D73-FE2A-78C732799C6E} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {6F7E4B61-54D2-1FB5-F1A2-3A331E147E3E} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks!
Jen

guestolo · « **Reply #4 on:** March 20, 2005, 10:12:35 PM »

Just walked back in a little while ago, sorry for the wait

Can you Close down all browser windows and then Enter your Add/Remove Programs and remove if found
[
New.net Application or New.net Domains

Ensure you Restart your computer after removal
If it is not listed in your Add/Remove programs use this link
http://www.newdotnet.com/removal.html
Preferrably procedure 4 if it wasn't uninstalled earlier
You can save the uninstaller to desktop, close down all other windows
Run the uninstaller
Restart your computer afterwards

Back in Windows
Go back to Add/Remove Programs and remove if found
Media Access
Hotbar and/or Web Tools from Hotbar
Security iGuard

RESTART your computer again after removal if found

Post back with a fresh Hijackthis after doing the above

JenE · « **Reply #5 on:** March 20, 2005, 11:02:47 PM »

No need to apologize.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I followed your above directions and here is my fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:57 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\otqycg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\windows\system32\packager.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O1 - Hosts: 69.50.177.254 google.com www.google.com www.gooogle.com gooogle.com
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [otqycg] c:\windows\system32\otqycg.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O16 - DPF: {01A82FAC-D9A9-67EC-665F-1BE95CF7A0C9} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0CE55843-1693-18B0-FD3C-155074C95B5B} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0F5B4505-6EE1-337D-704D-5210605C52D0} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {12AB6DBE-AB24-6826-3A1B-0E6D6B0DF0D8} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O16 - DPF: {15CDE707-80DF-1958-3278-03124A6A2FA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {1EC74EF1-5B81-1164-2366-62A64BE55D70} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {204B087A-8B03-2C28-2771-7851032A33FC} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {24692DC5-C9C2-55D2-8FA8-79A9392220ED} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {29D26379-39E8-047E-47B7-7FF152623A35} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {34143973-F098-4E74-1B19-67ED55D94750} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3AE77F61-7AEA-1E42-F679-27167190FE48} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {3D955CBE-54BF-243D-2CB4-72FC18CC22AD} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {486BE088-351A-790B-0645-092E119B3BA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {4A8213BA-6633-1E19-06E0-03D004676AF9} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {54D8FD11-D73A-7797-8270-43880A70C3C5} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {5748C11E-2386-6861-1E72-3BF06C4AB3EB} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A02DFE7-0EB8-60D1-0CE9-468915A6D088} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {6BAE1971-AD64-3D73-FE2A-78C732799C6E} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {6F7E4B61-54D2-1FB5-F1A2-3A331E147E3E} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks!
Jen

guestolo · « **Reply #6 on:** March 20, 2005, 11:57:20 PM »

A little better, still some more cleanup

Download and UNZIP to desktop
HSFIX.zip
HSFix directory will be created
We'll need this later

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Access your add/remove programs and remove if found
Comet Systems or similiar
and Ebates_MoeMoneyMaker

Save the rest of this too a notepad file or Print out the instructions
Restart your computer into SAFE MODE

Find and delete these files or folders if found
C:\WINDOWS\Pynix.dll <-file
C:\WINDOWS\cerbmod.dll
c:\windows\tasks\sa.dat
C:\WINDOWS\farmmext.exe
c:\windows\system32\otqycg.exe

C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\NewDotNet <-folder
C:\Program Files\WebsiteViewer <-folder
C:\Program Files\Security iGuard <-folder
C:\Program Files\Hotbar <-folder
C:\Program Files\Media Access <-folder
c:\windows\inetdata <-folder

Let me know if you see any of these in that folder
c:\windows\inetdata\services.exe
c:\windows\inetdata\explorer.exe
c:\windows\inetdata\winlogon.exe
c:\windows\inetdata\2.00.00.dll
c:\windows\inetdata\cron.ini

Navigate too and delete the Whole contents of your temp folders, or whatever you can
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

===In safe mode
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O1 - Hosts: 69.50.177.254 google.com www.google.com www.gooogle.com gooogle.com
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll

O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [otqycg] c:\windows\system32\otqycg.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O9 - Extra button: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {48F6D84E-8135-4E79-889C-B213BE145F9D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A46F02D0-DAF1-4958-9B52-BF5BB81A79D2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AA3859A3-367A-439C-9BFD-526F1E589AE6} - (no file) (HKCU)

O16 - DPF: {01A82FAC-D9A9-67EC-665F-1BE95CF7A0C9} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0CE55843-1693-18B0-FD3C-155074C95B5B} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {0F5B4505-6EE1-337D-704D-5210605C52D0} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {12AB6DBE-AB24-6826-3A1B-0E6D6B0DF0D8} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O16 - DPF: {15CDE707-80DF-1958-3278-03124A6A2FA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {1EC74EF1-5B81-1164-2366-62A64BE55D70} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {204B087A-8B03-2C28-2771-7851032A33FC} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {24692DC5-C9C2-55D2-8FA8-79A9392220ED} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {29D26379-39E8-047E-47B7-7FF152623A35} - http://69.50.182.94/1/rdgUS994.exe

O16 - DPF: {34143973-F098-4E74-1B19-67ED55D94750} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3AE77F61-7AEA-1E42-F679-27167190FE48} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {3D955CBE-54BF-243D-2CB4-72FC18CC22AD} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {486BE088-351A-790B-0645-092E119B3BA8} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {4A8213BA-6633-1E19-06E0-03D004676AF9} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {54D8FD11-D73A-7797-8270-43880A70C3C5} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {5748C11E-2386-6861-1E72-3BF06C4AB3EB} - http://69.50.182.94/1/rdgUS994.exe

O16 - DPF: {6A02DFE7-0EB8-60D1-0CE9-468915A6D088} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {6BAE1971-AD64-3D73-FE2A-78C732799C6E} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {6F7E4B61-54D2-1FB5-F1A2-3A331E147E3E} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Stay in safe mode
Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

Restart back to Normal mode

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart your computer too finish the cleaning process

Download this virus checker from eScan, this will help identify other files
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane Post it back here

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Also post a fresh Hijackthis log
Along with the log from HSFix.bat>>C:\hslog.txt <-this log

JenE · « **Reply #7 on:** March 21, 2005, 10:18:06 PM »

Followed above instructions and will post logs below. I have a few questions though.

1. Should I have turned off system restore before doing all of this?
2. When all of this is done should I go back hide the folders I have unhidden?
3. Should I have emptied my recycle bin right away after deleting files and folders I was directed to delete?
4. I haven't been able to use Notepad and from the virus log it looks like it is infected. How can I fix that?

All of these were found in the inetdata folder.
c:\windows\inetdata\services.exe
c:\windows\inetdata\explorer.exe
c:\windows\inetdata\winlogon.exe
c:\windows\inetdata\2.00.00.dll
c:\windows\inetdata\cron.ini

Mwav virus log:
File C:\WINDOWS\inetdata\winlogon.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inetdata\winlogon.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysprinter.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart2.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart6.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart7.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_64.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\notepad.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\You!\LOCALS~1\TEMPOR~1\Content.IE5\AYUT9XOQ\rdgUS994[1].exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\You!\Application Data\Mozilla\Firefox\Profiles\f99928dh.Default User\Cache\F8BCA334d01 tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\You!\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-66d002b9-36c50bc2.zip infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\You!\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\chainz.jar-5d03bb16-774ae688.zip tagged as not-a-virus:JavaClass.FormURLToy. No Action Taken.
File C:\Documents and Settings\You!\Desktop\D'loads\Install_AIM.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\You!\Desktop\HSFix\HSFix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\You!\Desktop\HSFix.zip tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\You!\Local Settings\Temporary Internet Files\Content.IE5\AYUT9XOQ\rdgUS994[1].exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\LexmarkX83\RemoveX83.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\LexmarkX83\setupx83part2ww.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\LexmarkX83\X83Twain.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01A00383.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01BE7D63.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01C87B58.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01DE213F.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01E57538.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01F21D29.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02134105.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\021D3EFB.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\023364E1.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\024A0AC8.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\026E58A1.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02857E88.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\029C246E.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02A62264.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02D04435.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02D7182E.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02F73C0A.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\030463FB.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0387736C.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\040A02DC.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\04172ACE.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\043B78A6.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\04511E8D.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\04A00E37.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\07A92C4B.exe infected by "Trojan-Downloader.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\07AC5647.exe infected by "Email-Worm.Win32.CWS.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\07C34B4B.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0A114A29.exe infected by "Trojan-Downloader.Win32.Intexp.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0CA63762.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0CBD5D49.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0CFB7B05.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D1220EC.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D1B1EE1.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D2272DA.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D2A7A3A.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D4640B2.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D4C14AB.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D601095.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D9B0455.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0DA82C46.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0E0D41D7.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0E173FCC.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0E450B9A.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0E62057A.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0E695972.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0E7F7F59.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0ECE6F03.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0EE16AED.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0EEB68E3.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F0C0CBF.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F160AB4.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F305A97.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F3A588C.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10357978.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\103F776D.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10561D54.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10594E15.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\105F1B49.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10764130.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10803F25.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\108A3D1A.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\109A0F08.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10B134EF.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10C106DD.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10D82CC4.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10EF52AB.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\11132083.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\111A747C.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\11301A63.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\113D4255.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1144164D.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\141F2754.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\179B1953.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F72401D.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\25517277.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E0C0EEA.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E1362E3.exe infected by "not-a-virus:AdWare.WebRebates.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E160CDF.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E200AD4.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E2334D1.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E265ECD.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E2908CA.exe infected by "not-a-virus:AdWare.ToolBar.ImiBar.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E2D32C6.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E305CC2.exe infected by "Trojan-Downloader.Win32.Intexp.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E3306BF.exe infected by "Trojan-Downloader.Win32.Intexp.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3A8F0FB5.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4260174F.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46106A33.exe infected by "Trojan-Downloader.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46141430.exe infected by "Email-Worm.Win32.CWS.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46141430.tmp infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46A83CAE.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46AC66AA.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46B23AA3.dll infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46B23AA3.exe infected by "Trojan-Dropper.Win32.180Solutions.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4DF1534D.exe infected by "Trojan-Downloader.Win32.Intexp.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\54326F34.exe infected by "Trojan-Downloader.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\54361930.exe infected by "Email-Worm.Win32.CWS.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\589070FB.exe infected by "Trojan-Downloader.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\58931AF8.exe infected by "Email-Worm.Win32.CWS.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\59E70553.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\65784152.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\772730C6.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\ShopperReports\Bin\1.0.0.1\smrtshpr.dll infected by "not-a-virus:AdWare.Comet.d" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc10.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc1220.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc15\2.00.00.dll infected by "not-a-virus:AdWare.BHO.Ihbo.gen" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc15\3.00.00.dll infected by "not-a-virus:AdWare.BHO.Ihbo.gen" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc15\services.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc15\winlogon.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc47\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc47\pynix.cab infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc47\Pynix.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc50.tmp\hbinstie.dll infected by "not-a-virus:AdWare.ToolBar.Hotbar.t" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc7.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc8.dll infected by "not-a-virus:AdWare.BHO.NoName.l" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-73586283-57989841-839522115-1003\Dc88.tmp\MMaker4b.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0000007.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001001.dll infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001010.dll infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001011.exe infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001012.exe infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001014.dll infected by "not-a-virus:AdWare.ToolBar.Hotbar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001015.dll infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001016.exe infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001017.dll infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001018.dll infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001019.exe infected by "not-a-virus:AdWare.ToolBar.Shopper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001020.exe infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001021.exe infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001022.dll infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001024.exe infected by "not-a-virus:AdWare.ToolBar.Shopper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001026.exe infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001027.exe infected by "not-a-virus:AdWare.ToolBar.Shopper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001028.dll infected by "not-a-virus:AdWare.ToolBar.ag" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001032.dll infected by "not-a-virus:AdWare.ToolBar.Hotbar.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001033.dll infected by "not-a-virus:AdWare.ToolBar.Hotbar.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001034.dll infected by "not-a-virus:AdWare.ToolBar.ag" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001035.exe infected by "not-a-virus:AdWare.ToolBar.Hotbar.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001036.dll infected by "not-a-virus:AdWare.ToolBar.ag" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001037.exe infected by "not-a-virus:AdWare.ToolBar.Hotbar.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001038.dll infected by "not-a-virus:AdWare.ToolBar.Hotbar.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001040.exe infected by "not-a-virus:AdWare.Comet.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001041.dll infected by "not-a-virus:AdWare.ToolBar.Hotbar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001042.exe infected by "not-a-virus:AdWare.ToolBar.Hotbar.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001044.dll infected by "not-a-virus:AdWare.HotBar.an" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001053.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001056.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP1\A0001057.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP2\A0001080.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0226F261-DA7A-47C3-B85E-FE0BD250478F}\RP2\A0001081.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\temp\sahagent-cdt1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\rdgUS896.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\rdgUS994.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart2.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart6.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart7.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inetdata\3.00.00.dll infected by "not-a-virus:AdWare.BHO.Ihbo.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inetdata\services.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_64.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\notepad.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINNT\NOTEPAD.EXE infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\notepad.exe infected by "Trojan-Downloader.Win32.CWS.gen" Virus. Action Taken: No Action Taken.
File C:\WinXpCrackEN\WinXpCrackEN\WinXP.Activation.v1.1.English.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:15:29 PM, on 3/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [printer] C:\WINDOWS\System32\sysprinter.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6736B1DA-1758-413D-89E9-B0D33D876C02} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6736B1DA-1758-413D-89E9-B0D33D876C02} - (no file) (HKCU)
O16 - DPF: {1A9499D9-E0B6-6AC5-78B2-697508F20565} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2F67F11B-596E-007A-A745-632F30F86378} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {49FAE7A3-7B4E-64B8-8DD4-5AD923118642} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

HSFix log:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Hope I posted everything you need.

Thanks!
Jen

guestolo · « **Reply #8 on:** March 22, 2005, 12:39:08 AM »

===Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup
Install for now, don't run a scan yet

===Download the Pocket Killbox
UNZIP it to a folder of your choice

===Download and save to Deskop Notepad_XP.zip
[attachment=78:attachment]
We'll need this later

Please copy and paste these instructions to an empty Wordpad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Disable System Restore

===Open your Control Panel>>Open the Java Plugin
click the Cache Tab and Clear the cache

===Open Hijackthis>>Open Misc tools Section>>Open Process Manager
Kill this process if you can, exact process
C:\WINDOWS\inetdata\winlogon.exe

===Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [printer] C:\WINDOWS\System32\sysprinter.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O9 - Extra button: Microsoft AntiSpyware helper - {6736B1DA-1758-413D-89E9-B0D33D876C02} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6736B1DA-1758-413D-89E9-B0D33D876C02} - (no file) (HKCU)

O16 - DPF: {1A9499D9-E0B6-6AC5-78B2-697508F20565} - http://69.50.182.94/1/rdgUS994.exe

O16 - DPF: {2F67F11B-596E-007A-A745-632F30F86378} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {49FAE7A3-7B4E-64B8-8DD4-5AD923118642} - http://69.50.182.94/1/rdgUS994.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Run Pocket KillBox>>Now you have Killbox and this notepad file open

In Killbox
At the main screen of Pocket Killbox

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\System32\sysprinter.exe

Press the Delete file button >>The Red circle and a white X
Do the same for the rest of these below
Keep track of any files that won't delete, we'll need those in a bit

C:\WINDOWS\dstart2.exe
C:\WINDOWS\dstart6.exe
C:\WINDOWS\dstart7.exe
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\wldr.dll
C:\WINDOWS\System32\wldr.dll
C:\DOCUME~1\You!\LOCALS~1\TEMPOR~1\Content.IE5\AYUT9XOQ\rdgUS994[1].exe
C:\temp\sahagent-cdt1004.exe
C:\WINDOWS\Downloaded Program Files\rdgUS896.exe
C:\WINDOWS\Downloaded Program Files\rdgUS994.exe
C:\WINDOWS\inetdata\3.00.00.dll
C:\windows\inetdata\explorer.exe
C:\windows\inetdata\winlogon.exe
C:\windows\inetdata\2.00.00.dll
C:\windows\inetdata\cron.ini
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINNT\NOTEPAD.EXE
C:\WINNT\system32\notepad.exe

For any file that wouldn't delete, again copy and paste that entry into Killbox,
but this time, use the Delete on Reboot radio button
Press the button with a red circle and a white X.
If asked to Reboot now, don't until you have entered the last entry
After entering the the last path to any file that wouldn't delete
Allow the computer to Reboot
or Restart the computer anyways, try and restart into safe mode

In safe mode
Find and delete this folder if found
c:\windows\inetdata <-folder

Scan with Hijackthis again and ensure all those entries you fixed earlier in this reply are gone

You can enter Norton's Quarantine list and delete the files if you wish

Stay in safe mode
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done

Restart your computer back to Normal mode
Reenable System Restore

UNZIP notepad_xp.zip
To these folders
C:\WINDOWS
C:\WINDOWS\System32
C:\WINNT
C:\WINNT\system32

Post back a fresh Hijackthis log afterwards

I edited the above, I said copy and paste instructions to a Notepad file
I meant Wordpad or similiar, sorry

JenE · « **Reply #9 on:** March 22, 2005, 02:37:04 AM »

Fresh log after following above instructions.

Logfile of HijackThis v1.99.1
Scan saved at 11:34:42 PM, on 3/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HJT\hijackthis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Jen

guestolo · « **Reply #10 on:** March 22, 2005, 08:31:21 PM »

Looks good, how's everything on your end?

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

If your version of Windows is legit, why so far behind on Windows Updates?
This is very important in keeping your system secure online as well

JenE · « **Reply #11 on:** March 22, 2005, 09:54:34 PM »

Thanks for all of your help...things seem to look good from this end.

Should I go back in and "hide" those folders that I unhid before to do all the cleaning up?

Also...about my windows. My updates are so far behind because I had my computer repaired after a crash. After the repair I started getting a message that my windows was going to stop working if I didn't register it. So I tried to use the numbers that came with my computer and they didn't work. So I called the guy that did the repair and he told me that he couldn't use his registration number on any more computers. He said that an update I had done had made it start asking me for the registration numbers and he helped me fix it, but then he told me not to do a certain update...can't remember exactly what it was now...or the same thing would happen. So I stopped doing the updates because I was afraid the same thing would happen again. I don't know if that makes my version not legit. It was something I hadn't thought about before hand. I trusted that this guy was fixing computers legitimately....maybe he's not?

Thanks for all your help...if you can give any advice on the above that would be great.

Jen

guestolo · « **Reply #12 on:** March 22, 2005, 11:25:28 PM »

Yes, go back and Hide hidden files and folders

I'm not sure I understand, your not sure if you have a legal copy of Windows XP
Do you have a copy of XP???
I don't mean installed on your system but the actual CD
It sounds like it's not the original but installed and burned by someone else

Unfortunately, I don't endorse illegal software
There is lot's of information around the NET where you can find workarounds

Stay safe

JenE · « **Reply #13 on:** March 23, 2005, 02:25:26 AM »

When I purchased my computer it came with xp installed. I purchased my computer new, but it never had a cd for xp. It had no type of recovery disks at all. The recovery is in a hidden partition. Does that make sense?

When my computer crashed...I couldn't get into the hidden partition to run recovery. I couldn't do anything. So I took it to a shop and paid for repair.

So, no...I don't have a cd...but I never have. But I didn't think that taking my computer in for repairs made it illegal. What else would you do if your computer crashed and you didn't know how to fix it?

Jen

TheTechGuide Forum

News:

Author Topic: need websiteviewer help (Read 5247 times)

JenE

need websiteviewer help

guestolo

need websiteviewer help

JenE

need websiteviewer help

JenE

need websiteviewer help

guestolo

need websiteviewer help

JenE

need websiteviewer help

guestolo

need websiteviewer help

JenE

need websiteviewer help

guestolo

need websiteviewer help

JenE

need websiteviewer help

guestolo

need websiteviewer help

JenE

need websiteviewer help

guestolo

need websiteviewer help

JenE

need websiteviewer help