Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Several Issues, many with IE locking up...*UPDATE*


  • Please log in to reply

#1
nalinc23

nalinc23

    Member

  • Member
  • PipPip
  • 21 posts
Hey,

Lately, I have noticed that random webpages come up when typing in something in the address bar, but today it got much worse. While using Internet Explorer clicking any of the drop-down menus at the top such as "bookmarks" locks up IE, typing in a webpage and clicking GO or hitting enter freezes it....if you link yourself on AIM and click it, it instead of going to the website it opens my AIM Folder File Directory. Weird huh? Lastly, if I run Adaware it gets about half way done and just shuts down the program, which I've never seen. I ran all the preventative programs listed in the tutorial before using HiJack to no avail.....thank you so much, here is my HijackThis Logfile!! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:38 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nalincoln\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OVDJQX] C:\WINDOWS\OVDJQX.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [CoolWallpaperSoftware] C:\Program Files\CoolWallpaper\cwm_tray.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YNTUMS_A.EXE] YNTUMS_A.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

Edited by nalinc23, 26 March 2006 - 04:59 PM.

  • 0

Advertisements


#2
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello nalinc23...I found your post in the Waiting Room, and I am working on your problem with G2G staff. I will reply again as soon as possible.

cfa
  • 0

#3
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello nalinc23...welcome to G2G!

I saw your post in the waiting room, and would like to help with your malware problem if you are still having difficulties. Sorry for the delay, this site is quite busy..

I know you are having problems with IE 'locking up', however if you can obtain and post a current HJT log from 'normal' Windows mode it would be preferable to attempting to fix your computer with a safe mode generated HJT log. Also, it's has been over 3 days since your original post, so a more recent HJT log would be helpful to both of us.

If you are unable to obtain and post your current HJT log taken from 'normal' Windows let me know.
  • 0

#4
nalinc23

nalinc23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hey, I understand on the delay, this site is so much busier than it was a year or so ago when I had my last major problem with a virus. Hopefully you get my new log that i just did in "normal" mode since I can run in normal mode now instead of safe. The virus and problems seem a little better after running MANY MANY scans and deleting some things but there are still slowdowns and weird things happening so I know something is present....here is my hijackTHIS logfile from this afternoon in "normal" windows mode. Thanks a lot!!!

-----------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 5:56:22 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskdir.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\nalincoln\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: load=???
?
F3 - REG:win.ini: run=???
?
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OVDJQX] C:\WINDOWS\OVDJQX.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [CoolWallpaperSoftware] C:\Program Files\CoolWallpaper\cwm_tray.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YNTUMS_A.EXE] YNTUMS_A.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: RCMapWYZ.pif = C:\WINDOWS\RCMAPWYZ.BAT
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
  • 0

#5
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello again nalinc23...

You appear to have 2 AV programs installed and running (Norton and AVG). This will create conflicts and is not recommended. You should choose one that you will use, and uninstall the other.

First,let's Reveal Hidden Files
  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Select Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.



Now, please go to Start>>Search>>All files and folders and type/paste the following file into the file name path:

YNTUMS_A.EXE


If you locate this file, note it's exact location so that we can submit it for analysis with another that I want looked at (see below)

There are some files I'd like to get analyzed

<YNTUMS_A.EXE> <==The file you just located/identified in the last step
C:\WINDOWS\RCMAPWYZ.BAT

Just to be safe, go to this site and have it scan them:
Jotti virus scan

Use the Browse button at Jotti, navigate to the file's location on your hard drive and submit them one at a time.

Let me know the results of the filescan in the next reply.

Please download Ewido Anti-Malware from here
(Note: As this is a trial version, after the 14 day trial period has expired Ewido will lose some functionality with it. Ewido will then work as an On-Demand program, make sure to check for updates regularly).
  • Install ewido security suite
  • When installing the program, under "Additional Options" UNCHECK...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido Anti-Malware
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

DO NOT RUN A SCAN YET, we will do that later in safe mode

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: load=???
?
F3 - REG:win.ini: run=???
?
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [OVDJQX] C:\WINDOWS\OVDJQX.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)<==Unless this is the 'paid' version..the 'free' version contains adware
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab


Now close all windows other than HiJackThis, then click Fix Checked.

You may want to print out the remainder of these instructions to refer to while in safe mode, as this webpage will be unavailable to you.

Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present). Click start>>control panel>>add/remove programs:

WeatherBug<==see above...if this is the paid version which is adware free, this can be omitted
WildTangent


Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete:


C:\Program Files\AWS

Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\OVDJQX.exe
C:\WINDOWS\system32\taskdir.exe


Now while still in safe mode, start Ewido Anti-Malware
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Anti-Malware
After that, Reboot, rescan with HJT, and post another HJT logfile for review with the Ewido log and the Jotti results. .
  • 0

#6
nalinc23

nalinc23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hey, thanks for the help! Those two files you told me to look for came out fine. The first one didn't exist on my computer and the rcmapxyz.bat came up clean when I scanned it. I know what it is too, it's just my school's network drives when I lived on campus.

Here is the Ewido and HJT Scans

EWIDO

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:39:26 AM, 3/27/2006
+ Report-Checksum: EEDEB18

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
C:\WINDOWS\SYSTEM32\unimt.exe -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\glhqjilg.wwa -> Trojan.Agent.qe : Cleaned with backup
C:\WINDOWS\SYSTEM32\parad.raw.exe -> Proxy.Lager.at : Cleaned with backup
C:\WINDOWS\Desktop\go.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini -> Adware.Sahat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp\admprog.dll -> Adware.Altnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp\admfdi.dll -> Adware.Altnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp\admdloader.dll -> Adware.Altnet : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.14:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.17:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.33:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.37:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\System Volume Information\_restore{8C5B67EC-9129-4EA5-AB1D-F30791C514CE}\RP1304\A0164017.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{8C5B67EC-9129-4EA5-AB1D-F30791C514CE}\RP1304\A0164019.exe -> Trojan.Small : Cleaned with backup
C:\Recycled\Dc6.exe -> Proxy.Lager.at : Cleaned with backup


::Report End




HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 7:40:29 AM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\system32\Notepad.exe
C:\Documents and Settings\nalincoln\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.roanoke.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.roanoke.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common

Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft

Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C84 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus

C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [CoolWallpaperSoftware] C:\Program

Files\CoolWallpaper\cwm_tray.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe

powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YNTUMS_A.EXE] YNTUMS_A.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SymantecCleanUp]

C:\DOCUME~1\NALINC~1\LOCALS~1\Temp\SymClnUp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe

-quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk

TransferMate\SD Monitor.exe
O4 - Global Startup: RCMapWYZ.pif = C:\WINDOWS\RCMAPWYZ.BAT
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: E-Color.lnk = C:\Program

Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akama...ple.com/qt505/u

s/win/QuickTimeInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} -

http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} -

http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) -

http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

http://community.web...otoUploader.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON

CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe

(file missing)
O23 - Service: NAV Auto-Protect - Unknown owner -

C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner -

C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Program Scheduler - Unknown owner -

C:\PROGRA~1\Navnt\npssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America,

Inc. - C:\WINDOWS\system32\RioMSC.exe




THANKS
  • 0

#7
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello nalinc23...

Please post for me a HJT log from a 'normal' windows boot...not from safe mode. The log you posted is also very hard for me to read...so, before posting the HJT log, please go to format in notepad and uncheck wordwrap which should produce a HJT log that looks like your previous posts.
  • 0

#8
nalinc23

nalinc23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
WHoa, sorry about that...i totally forgot about the safe-mode thing...i also turned off word wrap..here are the two logs


HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:52 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nalincoln\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roanoke.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [CoolWallpaperSoftware] C:\Program Files\CoolWallpaper\cwm_tray.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YNTUMS_A.EXE] YNTUMS_A.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: RCMapWYZ.pif = C:\WINDOWS\RCMAPWYZ.BAT
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe



EWIDO:

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:39:26 AM, 3/27/2006
+ Report-Checksum: EEDEB18

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
C:\WINDOWS\SYSTEM32\unimt.exe -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\glhqjilg.wwa -> Trojan.Agent.qe : Cleaned with backup
C:\WINDOWS\SYSTEM32\parad.raw.exe -> Proxy.Lager.at : Cleaned with backup
C:\WINDOWS\Desktop\go.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini -> Adware.Sahat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp\admprog.dll -> Adware.Altnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp\admfdi.dll -> Adware.Altnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp\admdloader.dll -> Adware.Altnet : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\nalincoln\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.14:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.17:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.33:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.37:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Documents and Settings\nalincoln\Application Data\Mozilla\Firefox\Profiles\roze5a2r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\System Volume Information\_restore{8C5B67EC-9129-4EA5-AB1D-F30791C514CE}\RP1304\A0164017.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{8C5B67EC-9129-4EA5-AB1D-F30791C514CE}\RP1304\A0164019.exe -> Trojan.Small : Cleaned with backup
C:\Recycled\Dc6.exe -> Proxy.Lager.at : Cleaned with backup


::Report End
  • 0

#9
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello nalinc23...

How is your computer running now? Are you still having the same issues as before or are they resolved? From your log it appears that you uninstalled Norton, is this correct?

I don't see too much in your present HJT log except for some little loose ends, which we'll get to shortly.

I'd like to try the Jotti file analysis one more time, even though you search for the YNTUMS_A.EXE file came up empty:

Go to this site again: Jotti virus scan

Use the Browse button at Jotti, and type/paste the following into the file name box:

c:\windows\system32\YNTUMS_A.EXE


Let me know the results if it finds the file and produces any.

Let's do an online scan to see if it finds anything:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Repost with the PandaScan log and a new HJT log...and let me know the answers to the questions above...

Edited by cfa-ddg2, 28 March 2006 - 10:21 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP