« previous next »
Pages: [1] 2 3

Author Topic: Dao Search is like herpes  (Read 5516 times)

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« on: April 11, 2005, 04:46:58 PM »
I also have this Dao search thing on my computer. please help...here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:53 AM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\Services\{37BD08E2-D894-427F-92EE-32B84D2D958D}\SVCHOST.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\ktfaqiq.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Documents and Settings\T & A\Start Menu\Programs\Startup\winupdate09854745[1].exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG05.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cmdtel.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\DOCUME~1\T&A~1\LOCALS~1\Temp\tmp1D.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\T&A~1\LOCALS~1\Temp\tmp2C.tmp
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{AC17DF38-43A8-441B-A8EF-6EE83DB35B48}\SVCHOST.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [hssdali] c:\windows\nfxouiy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: winupdate09854745[1].exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: NTDBGTOOL - {0150A00B-2948-4307-B95E-7AC92526A7E4} - C:\WINDOWS\System32\sssttask.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #1 on: April 11, 2005, 10:52:07 PM »
Can you do the following please
Access your Add/Remove programs and remove if found
P2P Networking Usually associated with Kazaa, a useless addon that can cause slow browsing experiences
If prompted to remove Alnets Do so
If not remove altnets too

Also remove InstaFinderK

If you didn't purposely install MyWay
I would remove it too

Restart your computer if all or any are removed

Back in Windows

===Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Install for now, don't run a scan yet

====Download and UNZIP to a folder
HSFIX.zip
HSFix directory will be created
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
 and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later

Restart back to Normal mode

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Download and Install Spybot S&D 1.3
After installation--Click the Update button on the left
ThenSEARCH FOR UPDATES
Check and Download all updates
Afterwards, click the Search and Destroy button
Check for Problems---Let it complete it's scan
FIX everything in RED>>Should be checked by default

Restart the computer again to finish the cleaning process

Post back a fresh Hjackthis log afterwards and we'll go from there
Could you also post the log from hsfix.bat>>C:\hslog.txt
« Last Edit: April 12, 2005, 02:13:07 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #2 on: April 12, 2005, 01:35:19 PM »
Thank you for the info. I got to the download the Ad-Aware SE part of your instructions, but when I click download, it takes forever...I've been sitting here for 45 minutes now. It says "Download in progress" but nothing has happened for 45 minutes now??

Also On my desktop I now have the following message:

[color=\"red\"]Fatal error in IE has occured at 0028:c0011E36 in VXD VMM(01) + 00010e36 Error was caused by Trojan-Spy.html.smitfrau.c[/color]

Is this something that is a part of this Dao Search thing?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #3 on: April 12, 2005, 01:58:09 PM »
I wouldn't worry about the error message yet, looks like it's related to a Trojan
May be gone now, or related files are gone

Not sure about the download of Ad-Aware
Can you cancel it and download it from
This link
It's in zipped format, so you'll have to unzip it and then Install and update

May be best after you check for updates
You restart into Safe mode and run the Full System Scan

EDIT>>If you have problems updating Ad-Aware, let me know
I'll upload the latest definitions for you
« Last Edit: April 12, 2005, 02:05:31 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #4 on: April 12, 2005, 03:44:07 PM »
Well I clicked on the link you provided for the Ad-Aware and then clicked on the red "Download" button...again nothing happened. Now my desktop is all black with some ad about my computer is infected with spyware. Help...before I throw this thing out the window.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #5 on: April 12, 2005, 03:49:20 PM »
I need you to carry on with the rest of the instructions
Don't worry about Ad-Aware at this time

Go onto the rest of the instructions with Spybot

Try this link if the other one doesn't work for you
http://spybot.zone-x.com/spybotsd13.exe

Again, make sure you check for updates with Spybot after installation

If you can't get the scan to run in normal mode
Restart into safe mode after it's installed and updated and run the scan

Post back with a fresh Hijackthis log afterwards

Regardless of what you could or couldn't do
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #6 on: April 13, 2005, 11:34:20 AM »
I was able to download the Spybot and check for updates with no problem. It fixed about 10-12 items on the first run and another five after a restart. I still cannot download Adaware. Here is the latest hijackthis log. My desktop still has the Fatal error message.

Logfile of HijackThis v1.99.1
Scan saved at 9:28:26 AM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\wisvccz.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\wp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [acxbjts] c:\windows\amxddlm.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: winupdate09854745[1].exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: NTDBGTOOL - {0150A00B-2948-4307-B95E-7AC92526A7E4} - C:\WINDOWS\System32\sssttask.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #7 on: April 13, 2005, 09:41:08 PM »
What Happened to the log from Hsfix.bat??

If you didn't download, download it now!!!!
From the link I supplied you earlier
Unzip as I mentioned above
If you did run it, Navigate to
C:\hslog.txt <--this file
Right click on it and rename it too hslog1.txt

After that is done

==Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

==Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link I supplied for a more detailed explanation

==In SAFE MODE==
==Next: Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Loading Outpost Connections

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Afterwards
==Find and delete these files or folders if found, take a close look at the file names
don't delete something because it looks similiar

C:\WINDOWS\system32\init32m.exe <-this file
C:\WINDOWS\System32\cmdtel.exe <-file
C:\WINDOWS\System32\wisvccz.exe <-file
C:\WINDOWS\System32\spoolsrv32.exe <-file, exact name
C:\WINDOWS\System32\sssttask.dll <-file
C:\WINDOWS\system32\wldr.dll <-file
c:\windows\system32\taskmg.exe <-file, exact name
c:\windows\amxddlm.exe <-file
C:\windows\ktfaqiq.exe <-file
C:\wp.exe <-file
C:\Documents and Settings\T & A\Start Menu\Programs\Startup\winupdate09854745[1].exe <-file

C:\Program Files\MyWay <-folder
C:\Program Files\InstaFinderK <-folder
c:\program files\altnet <-folder
C:\WINDOWS\System32\P2P Networking <-folder
C:\WINDOWS\System32\Services\{AC17DF38-43A8-441B-A8EF-6EE83DB35B48} <-folder
C:\Program Files\Security iGuard <-folder

===Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste or Type the next entry in bold to the blank open field box and hit OK

KDE

==When that's done, run Windows CleanUp! again in safe mode
When it's done scanning for files
Don't Log off yet

Instead
==Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what you find

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O4 - HKCU\..\Run: [acxbjts] c:\windows\amxddlm.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - Startup: winupdate09854745[1].exe

O9 - Extra button: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0128B717-DBC3-4B30-BA7E-2F39D89C2070} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31FE8235-1CD4-480F-8EB3-F382A46F9D4B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {38615F6F-D8B4-4DB1-A899-0478898CF9CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {440E7FFA-51FA-472E-8DB7-47A2D018D347} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3B9F88-9D53-48BE-8BD7-B36D56A4390F} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF065EBF-98AB-4EC9-8B37-D1FA83ADE701} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA00890B-A003-46C9-AF88-354E72124392} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E785AABD-5EFC-4793-92A2-703C7D6A79FB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E97BE5EC-81A6-4654-80C6-254725452D7E} - (no file) (HKC

O21 - SSODL: NTDBGTOOL - {0150A00B-2948-4307-B95E-7AC92526A7E4} - C:\WINDOWS\System32\sssttask.dll

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later

Restart back to Normal mode

Don't open a browser yet
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Run another scan with Hijackthis and post the log

POST the logs from HSFix.bat
C:\hslog.txt <--this log
and
C:\hslog1.txt <-this log

Could you also let me know what other files or folder you see in the below folder
C:\WINDOWS\System32\Services <-this folder

Look over what I asked you to do above
Post back all required logs, keep me updated
It helps both you and myself
Do what you can from the above, let me know what you couldn't accomplish after
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #8 on: April 14, 2005, 11:55:43 AM »
I did download HSfix, I just forgot to include the log. There isn't much on the log, but here it is:

Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-

When I got to the part in your instructions about double clicking the outpost connections...I did and when the next window came up, nothing was running for me to STOP the service. I still changed the startup type to disabled and thats all that happened, the type changed to disabled and nothing more...your instructions made it sound as something would then run or list some files for me to  find and delete. I tried to hit the start button once the type was changed to disabled, but I received the following alert:

Could not start the loading outpost connections service on local computer. Error 1084: This service cannot be started in safe mode.


I didn't know if I should continue beyond that point so I stopped there.

Thank you for your continued support.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #9 on: April 14, 2005, 05:31:05 PM »
I definitely don't want you to try and Start the service
That would be opposite of what I asked you to do
I guess I should say, STOP the service if running

The files and folders to delete, you will have to manually navigate to them on your computer and remove them

Again, read over what I asked

Do what you can from the instructions I posted

Remember my last comment
Quote
Do what you can from the above, let me know what you couldn't accomplish after
« Last Edit: April 14, 2005, 05:33:34 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #10 on: April 14, 2005, 08:03:45 PM »
I did everything you listed, and here is the last Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:56 PM, on 4/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\igafoaj.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\windows\mlywdop.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pthihoo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [cjnvqev] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjvggol] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gkbyegr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swcyqoi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [taxuayf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wdrcgqp] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvdsxmt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [comcnfv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [coijxwn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gnbwsmn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iicisty] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [npcuxfm] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lwitmgh] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ohjpjuv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvsrmfr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hucerrj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [aldeesa] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dtxfgyq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ojdfpfi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [xmqlnrq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pdusyfn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [magaptx] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vpeawea] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iineube] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qybbedn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [maopbyw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mtwajyv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [nximrbt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [frkbkow] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dqfkefo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ocvglvl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pqxfvyr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [snrjnph] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjcmskc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ystaqag] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wddcowb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ewmjmfj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qscbnsf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qgvwqkd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [obvypkk] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vyrokxn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [sfpkhcu] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hlcgffr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vvqxega] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iprqkia] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swvgrwd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iaaebrt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ukhruyg] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lrcpqcn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ochxdul] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [abvrxxv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iraklpi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iewecgs] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vcilxhi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [eebdkhn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ckxfdmj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [alerqgo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [atitaje] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gqubxjy] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lvsievb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [shgpbkq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [bklbain] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [fniqpmf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ikvbalc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [slkjptw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qfvqcku] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [kfmwjks] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [jiaebkl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lltdteb] c:\windows\ivdsybm.exe
O4 - HKCU\..\Run: [pciywqt] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [awrgctm] c:\windows\jxwtqgy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is the last HSfix log:

Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-


Most of the stuff you said to find and delete, I was able to, but there were some I could not locate. Also at the end of your instructions, where you said to go to control panel and into display properties...I was unable to complete that part because there was no Desktop tab???

Thanks again for your support and patience.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #11 on: April 14, 2005, 09:52:24 PM »
Let's do the following
Create a fresh restore point so we have something to fall back on, just in case we must restore your computer
Start>>All Programs>>Accessories>>System Tools>>System Restore
Create a New Restore point
Name it and click Create

Afterwards
Any files you have personally saved on the desktop, please copy and paste them to a folder such as MyDocuments

Let's do the following
==Download and UNZIP to a folder Fixdisplay.zip
So you now have Fixdisplay.reg unzipped to a folder
[attachment=143:attachment]

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Find and delete these files or folders if found
C:\windows\igafoaj.exe <-file
c:\windows\ivdsybm.exe <-file
c:\windows\ovfxudw.exe <-file
c:\windows\jxwtqgy.exe <-file
C:\windows\mlywdop.exe <-file
C:\windows\desktop.html <-file
C:\windows\Web\desktop.html <-file

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe

O4 - HKCU\..\Run: [pthihoo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [cjnvqev] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjvggol] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gkbyegr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swcyqoi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [taxuayf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wdrcgqp] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvdsxmt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [comcnfv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [coijxwn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gnbwsmn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iicisty] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [npcuxfm] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lwitmgh] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ohjpjuv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [rvsrmfr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hucerrj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [aldeesa] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dtxfgyq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ojdfpfi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [xmqlnrq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pdusyfn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [magaptx] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vpeawea] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iineube] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qybbedn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [maopbyw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mtwajyv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [nximrbt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [frkbkow] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [dqfkefo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ocvglvl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [pqxfvyr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [snrjnph] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [mjcmskc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ystaqag] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [wddcowb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ewmjmfj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qscbnsf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qgvwqkd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [obvypkk] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vyrokxn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [sfpkhcu] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [hlcgffr] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vvqxega] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iprqkia] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [swvgrwd] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iaaebrt] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ukhruyg] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lrcpqcn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ochxdul] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [abvrxxv] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iraklpi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [iewecgs] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [vcilxhi] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [eebdkhn] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ckxfdmj] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [alerqgo] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [atitaje] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [gqubxjy] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lvsievb] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [shgpbkq] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [bklbain] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [fniqpmf] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [ikvbalc] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [slkjptw] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [qfvqcku] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [kfmwjks] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [jiaebkl] c:\windows\igafoaj.exe
O4 - HKCU\..\Run: [lltdteb] c:\windows\ivdsybm.exe
O4 - HKCU\..\Run: [pciywqt] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [awrgctm] c:\windows\jxwtqgy.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on Fixdisply.reg and allow to merge to the registry

Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done

Restart your computer back to Normal mode

Again, try the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked

If you are now capable of downloading and running Ad-Aware, do so from the links I supplied
Remember to check for updates and Restart the computer after running the scan and fixing the objects

Post back with a fresh hijackthis log afterwards
« Last Edit: April 16, 2005, 06:29:43 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #12 on: April 15, 2005, 12:34:59 PM »
I accomplished almost everything in your last, but still I am not able to download Adaware, also when I go to the control panel and switch to Classic View, then click on Display, there is no desktop tab. So I was unable to complete the final steps again. Here is my latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:37 AM, on 4/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [blcxref] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [oxdcxlg] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [bgorxkd] c:\windows\rhdhnjt.exe
O4 - HKCU\..\Run: [lacodij] c:\windows\fvafoqd.exe
O4 - HKCU\..\Run: [uqjiwwe] c:\windows\jwcvbaw.exe
O4 - HKCU\..\Run: [kpahdbh] c:\windows\lefiiwp.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #13 on: April 15, 2005, 11:41:27 PM »
Ensure you downloaded and UNZIPPED to a folder Fixdisplay.reg

Afterwards, printh the rest of this out or save it too a notepad file

Disconnect from the Internet

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O4 - HKCU\..\Run: [blcxref] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [oxdcxlg] c:\windows\ovfxudw.exe
O4 - HKCU\..\Run: [bgorxkd] c:\windows\rhdhnjt.exe
O4 - HKCU\..\Run: [lacodij] c:\windows\fvafoqd.exe
O4 - HKCU\..\Run: [uqjiwwe] c:\windows\jwcvbaw.exe
O4 - HKCU\..\Run: [kpahdbh] c:\windows\lefiiwp.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Afterward, double click on Fixdisply.reg and allow to merge to the registry

Restart your computer

Find and delete these files if they exist
c:\windows\ovfxudw.exe
c:\windows\rhdhnjt.exe
c:\windows\fvafoqd.exe
c:\windows\jwcvbaw.exe
c:\windows\lefiiwp.exe

Again, try the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked

 Post back a fresh Hijackthis log afterwards
« Last Edit: April 16, 2005, 12:14:29 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #14 on: April 16, 2005, 03:50:35 PM »
Things seem to be getting better each time, I no longer see Dao search popups, and the trojan message is gone now from my desktop (Just all black now); however, I still cannot complete the last part of your instructions, there is still no "desktop tab" in display properties.

I was unable to Locate:

04 - HKCU\..\Run:  [kpahdbh]  c:\Windows\lefiiwp.exe

Also, after restarting the computer, I was unable to locate:

c:\Windows\ovfxudw.exe


And last but not least, whenever I try to log off or shut down, I am receiving an End Program - Win Min window. It will then say, This program is not responding, and I have to click End Now.

Here is my latest Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:39:19 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\yokrxqu.exe
C:\windows\yokrxqu.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\dpxddch.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yslovyn] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [kkeosjq] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [opadxly] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [cdymlgk] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [tmvpafl] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [wofvcjj] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [xwyrcab] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ppmhwex] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [rbaehgx] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [hmrllvp] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [fnowgsc] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [vdmobdb] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ikocagy] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [uyjngrk] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [acmeabp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mbmlowv] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [wfqdeue] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [rmxtmvp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [iomhkyq] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [kptslyk] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eslrdrx] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mwnsnip] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [pqvbbps] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [uojhivg] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eqtdqkr] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [qcrufir] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mlluhic] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wunabyc] c:\windows\hrvkvun.exe
O4 - HKCU\..\Run: [xltdxuj] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [swvnmgu] c:\windows\ktvxskx.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #15 on: April 16, 2005, 06:19:32 PM »
Hmm, this is a little different
May be related too a newer infection

Can you download and UNZIP to desktop or a folder
RKFiles
[attachment=148:attachment]

==Download the Pocket Killbox
UNZIP it to a folder of your choice

Try this
Copy and paste these instructions to a Notepad file then close all browser windows
Be prepared to Restart into safe mode, I'll be asking you to do that shortly

Open Hijackthis>>Open Misc tools sections>>Open Process manager
Kill these processes
C:\windows\yokrxqu.exe <-all occurances
C:\windows\dpxddch.exe

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O4 - HKCU\..\Run: [yslovyn] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [kkeosjq] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [opadxly] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [cdymlgk] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [tmvpafl] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [wofvcjj] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [xwyrcab] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ppmhwex] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [rbaehgx] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [hmrllvp] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [fnowgsc] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [vdmobdb] c:\windows\yokrxqu.exe
O4 - HKCU\..\Run: [ikocagy] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [uyjngrk] c:\windows\gcvbknr.exe
O4 - HKCU\..\Run: [acmeabp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mbmlowv] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [wfqdeue] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [rmxtmvp] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [iomhkyq] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [kptslyk] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eslrdrx] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [mwnsnip] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [pqvbbps] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [uojhivg] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [eqtdqkr] c:\windows\xgmtonh.exe
O4 - HKCU\..\Run: [qcrufir] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mlluhic] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wunabyc] c:\windows\hrvkvun.exe
O4 - HKCU\..\Run: [xltdxuj] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [swvnmgu] c:\windows\ktvxskx.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

c:\windows\ktvxskx.exe

Select the radio button to
 Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

c:\windows\hrvkvun.exe
c:\windows\xgmtonh.exe
C:\windows\yokrxqu.exe
c:\windows\gcvbknr.exe
c:\windows\xaicctk.exe
C:\windows\dpxddch.exe

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
At this time Restart into Safe mode by tapping the F8 key as the system is restarting

In safe mode, double click on RKfiles.bat and let it finish scanning
Be patient
When it's done, it will create a log, by default the log is saved at
C:\log.txt

Restart back to Normal mode

Back in windows
Could you also download and UNZIP
Find_It's.zip
After unzipped open the folder Find_It's
Double click on Find_It's.bat and wait for the log

Post that log back here along with the log from RKfiles.bat>>C:\log.txt

Post back a fresh Hijackthis log too

Try not too restart the computer again after posting the above 3 logs
« Last Edit: April 16, 2005, 06:46:34 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #16 on: April 16, 2005, 07:44:29 PM »
Accomplished everything except when I went to Hijack this>>Open Misc Toolssections>>Open Process Manager...I was unable to locate and kill c:\Windows\dpxddch.exe.

Here are the logs:

***Find_it's:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 Be carefull
 Helpers Only delete file's in this section if both criteria are matched
 Only if file show's in both 1 and 2 (string search's)
 
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
 Be carefull
 Helpers Only delete file's in this section if both criteria are matched
 Only if file show's in both 1 and 2 (string search's)
 
»»»»»»»»»»»»»»»»»»»»»»»» Possible SAHAgent Files found »»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
 
 
 Volume in drive C has no label.
 Volume Serial Number is D033-3910

 Directory of C:\WINDOWS\system32

 Volume in drive C has no label.
 Volume Serial Number is D033-3910

 Directory of C:\WINDOWS\SYSTEM32

 Volume in drive C has no label.
 Volume Serial Number is D033-3910

 Directory of C:\WINDOWS\SYSTEM

~Edited unneeded second log~

Latest Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:41:47 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\bfyania.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\qaqbnkw.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cfvsxyq] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [vpyphce] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [pibibym] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xvdsglg] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ihdkupl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [ldaeqtv] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [dwhrfsx] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [qxlktlx] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [vcaasfn] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [bhjpmho] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ckivrgl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [yiscgnn] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wgssvxc] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mukoahh] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [plcqosy] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [dvcftky] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xxmqpti] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [oehdxfv] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [hxvfhqj] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [tflindc] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [sebfwiq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [jpnttlr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [luxcfaw] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xfpuvtv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lblvvlv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mqjjwoh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lmwnugq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [goirkqd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [gsohtyv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xwcgtrh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mejlbse] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [yrijkfd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [fhrjxds] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [djhtktr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mokdxje] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svfrvyr] c:\windows\gehbouq.exe
O4 - HKCU\..\Run: [xollrjm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mvguecn] c:\windows\mbfrbem.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Will leave computer on, I will check for your post tomorrow, thanks again for all your help, you're like a Computer Surgeon.
« Last Edit: April 16, 2005, 07:55:25 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #17 on: April 16, 2005, 07:51:41 PM »
My bad TSD151

Both RKFiles and Find_It's both make logs to C:\Log.txt
Rkfiles log got overwritten by Find_It's log

Edited out restarting into safe mode
May not be necessary
Run Rkfiles.bat again, let it finish scanning and post back the log it produces
C:\Log.txt

Could you also run a free online virus scan at Panda's
Save the incident report when it's done and post it back here, thanks
http://www.pandasoftware.com/products/acti...n_principal.htm

And a fresh Hijackthis log
Sorry about that  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
« Last Edit: April 17, 2005, 11:59:56 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline TSD151

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #18 on: April 17, 2005, 12:42:28 PM »
Forgive me, for I have sinned...I guess. I did exactly what was on your instructions. Here is the log from RKfiles:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cmdteld.exe: UPX!
C:\WINDOWS\system32\dqaateqe.exe: UPX!
C:\WINDOWS\system32\dqhrijko.exe: UPX!
C:\WINDOWS\system32\gshtqjiq.exe: UPX!
C:\WINDOWS\system32\gslnbaaa.exe: UPX!
C:\WINDOWS\system32\init32m.exe: UPX!
C:\WINDOWS\system32\jhjoaaaa.exe: UPX!
C:\WINDOWS\system32\sgevcaaa.exe: UPX!
C:\WINDOWS\system32\srpcsrv32.dll: UPX!
C:\WINDOWS\system32\jndaaaaa.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\bfyania.exe: UPX!
C:\WINDOWS\brgxteo.exe: UPX!
C:\WINDOWS\cfvnpbm.exe: UPX!
C:\WINDOWS\evumfmx.exe: UPX!
C:\WINDOWS\gehbouq.exe: UPX!
C:\WINDOWS\gvvndux.exe: UPX!
C:\WINDOWS\hglwjlm.exe: UPX!
C:\WINDOWS\kadxqet.exe: UPX!
C:\WINDOWS\mbfrbem.exe: UPX!
C:\WINDOWS\mqgtbiv.exe: UPX!
C:\WINDOWS\nfxouiy.exe: UPX!
C:\WINDOWS\nmboswh.exe: UPX!
C:\WINDOWS\ntasjoi.exe: UPX!
C:\WINDOWS\ocqwhuv.exe: UPX!
C:\WINDOWS\oyglvea.exe: UPX!
C:\WINDOWS\pcvdkdb.exe: UPX!
C:\WINDOWS\powkaix.exe: UPX!
C:\WINDOWS\qaqbnkw.exe: UPX!
C:\WINDOWS\rggrhqo.exe: UPX!
C:\WINDOWS\rqtymkh.exe: UPX!
C:\WINDOWS\sgstvvq.exe: UPX!
C:\WINDOWS\swhhnjo.exe: UPX!
C:\WINDOWS\swjspmr.exe: UPX!
C:\WINDOWS\swlinrb.exe: UPX!
C:\WINDOWS\sys1210.exe: UPX!
C:\WINDOWS\sys1214.exe: UPX!
C:\WINDOWS\sys1217.exe: UPX!
C:\WINDOWS\sys1222.exe: UPX!
C:\WINDOWS\sys1225.exe: UPX!
C:\WINDOWS\sys1227.exe: UPX!
C:\WINDOWS\sys153.exe: UPX!
C:\WINDOWS\sys156.exe: UPX!
C:\WINDOWS\sys159.exe: UPX!
C:\WINDOWS\sys281.exe: UPX!
C:\WINDOWS\sys284.exe: UPX!
C:\WINDOWS\sys287.exe: UPX!
C:\WINDOWS\sys3059.exe: UPX!
C:\WINDOWS\sys312.exe: UPX!
C:\WINDOWS\sys316.exe: UPX!
C:\WINDOWS\sys3419.exe: UPX!
C:\WINDOWS\sys3422.exe: UPX!
C:\WINDOWS\sys3425.exe: UPX!
C:\WINDOWS\sys4142.exe: UPX!
C:\WINDOWS\sys4145.exe: UPX!
C:\WINDOWS\sys4147.exe: UPX!
C:\WINDOWS\sys4434.exe: UPX!
C:\WINDOWS\sys4440.exe: UPX!
C:\WINDOWS\sys4443.exe: UPX!
C:\WINDOWS\sys4655.exe: UPX!
C:\WINDOWS\sys4658.exe: UPX!
C:\WINDOWS\sys471.exe: UPX!
C:\WINDOWS\sys5832.exe: UPX!
C:\WINDOWS\sys5835.exe: UPX!
C:\WINDOWS\sys5838.exe: UPX!
C:\WINDOWS\sys953.exe: UPX!
C:\WINDOWS\sys956.exe: UPX!
C:\WINDOWS\sys958.exe: UPX!
C:\WINDOWS\uccbsyq.exe: UPX!
C:\WINDOWS\vobpcfq.exe: UPX!
C:\WINDOWS\vqbhwyy.exe: UPX!
C:\WINDOWS\wxsvgwm.exe: UPX!
C:\WINDOWS\xjrcqlr.exe: UPX!
C:\WINDOWS\xsrwadi.exe: UPX!
C:\WINDOWS\ywtovhs.exe: UPX!
Finished
bye

I was unable to download from Panda's. I clicked on scan computer and nothing happened.

What do you recommend to download or buy to prevent future infections???
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Dao Search is like herpes
« Reply #19 on: April 17, 2005, 12:52:10 PM »
Can I see a fresh Hijackthis log too
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2 3
« previous next »