Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Remove Malware and adware [RESOLVED]

Started by cableguy , Sep 15 2006 11:11 PM

  • This topic is locked This topic is locked

#1
cableguy
Posted 15 September 2006 - 11:11 PM

cableguy

    Member

  • Member
  • PipPipPip
  • 112 posts
Completed all the steps-ran ad-ware SE , checked only the red items for removal. Ran CWShreder and found nothing. Ran Spybot 95 problems were fixed and 4 where not. Ran Ewido in safe mode and saved the report file. Ran an online virus scan and no viruses were found. Ran TrojanHunter and found 2 trojans Trojan.generic and TrojanDownloaderVB.301. No updates were found for windows SP2 was allready installed. The reboot test went well but am still getting annoying pop up windows. Here are the Ewido report and the Hijackthis Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:43:11 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\dslifestyle\dslifestyle.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Suzanne\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4ES2CVNO\HijackThis[1].exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inebraska.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pjtde.exe
F2 - REG:system.ini: UserInit=userinit.exe,aebhogh.exe
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DropSpam Lifestyle] "C:\Program Files\dslifestyle\dslifestyle.exe"
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\startupmon.exe
O4 - HKLM\..\Run: [spywareremover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ufro] C:\PROGRA~1\COMMON~1\ufro\ufrom.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120629420108
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158336437468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\n86qlij518o.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\p28q0cl5efq.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:01:17 PM 9/15/2006

+ Scan result:



C:\WINDOWS\casinom.exe -> Adware.Casino : No action taken.
C:\WINDOWS\U3V6YW5uZQ\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_ -> Adware.CommAd : No action taken.
C:\WINDOWS\U3V6YW5uZQ\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_ -> Adware.CommAd : No action taken.
[1024] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[1588] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[176] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[2016] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[2080] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[2784] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[456] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[516] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[584] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
[596] C:\WINDOWS\U3V6YW5uZQ\asappsrv.dll -> Adware.CommAd : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B6E649FA-5461-40d7-AB4D-54FC3C8DB767}\\BandCLSID -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : No action taken.
HKU\S-1-5-21-3028267031-18038889-3999332092-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__g_u_a_r_d_._t_m_p_ -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\r68s0gl7e6q.dll -> Adware.Look2Me : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\appupdatetwo.exe -> Adware.Nexus : No action taken.
C:\WINDOWS\appupdate.exe -> Adware.Nexus : No action taken.
C:\Program Files\Deskbar\deskbar.dll -> Adware.Softomate : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10091.qit -> Adware.WebHancer : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10092.qit -> Adware.WebHancer : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10094.qit -> Adware.WebHancer : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10095.qit -> Adware.WebHancer : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10096.qit -> Adware.WebHancer : No action taken.
C:\Program Files\whInstall -> Adware.Webhancer : No action taken.
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : No action taken.
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : No action taken.
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : No action taken.
C:\WINDOWS\wh.exe/whAgent.exe -> Adware.WebHancer : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : No action taken.
[616] C:\dfndrff_e1.exe -> Downloader.Adload.fk : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ -> Downloader.Agent.agw : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Temporary Internet Files\Content.IE5\6D2RAVQ7\!update-4295[1].0000 -> Downloader.PurityScan.co : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\!update.exe -> Downloader.PurityScan.df : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Temporary Internet Files\Content.IE5\6D2RAVQ7\!update-4200[1].0000 -> Downloader.PurityScan.df : No action taken.
C:\Documents and Settings\Suzanne\My Documents\WіnSxS\cmd.exe -> Downloader.PurityScan.df : No action taken.
[3768] C:\DOCUME~1\Suzanne\MYDOCU~1\WNSXS~1\cmd.exe -> Downloader.PurityScan.df : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__f_g_d_y_v_j_s_._d_l_l_ -> Downloader.Qoologic.bj : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__p_j_t_d_e_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__y_y_d_y_e_b_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
C:\WINDOWS\system32\ewrcq.dat -> Downloader.Qoologic.bj : No action taken.
C:\Program Files\Common Files\ufro\__delete_on_reboot__u_f_r_o_m_._e_x_e_ -> Downloader.TSUpdate.n : No action taken.
C:\dfndrff_e1.exe -> Hijacker.VB.ia : No action taken.
C:\Program Files\Network Monitor\__delete_on_reboot__n_e_t_m_o_n_._e_x_e_ -> Not-A-Virus.Monitor.Win32.NetMon.a : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10000.qit -> TrackingCookie.247realmedia : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10050.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10051.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10052.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10053.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10054.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10055.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10056.qit -> TrackingCookie.2o7 : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10057.qit -> TrackingCookie.2o7 : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc108.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10001.qit -> TrackingCookie.Addynamix : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc141.txt -> TrackingCookie.Addynamix : No action taken.
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@adrevolver[3].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc77.txt -> TrackingCookie.Adrevolver : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10004.qit -> TrackingCookie.Adserver : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10005.qit -> TrackingCookie.Advertising : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc142.txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10009.qit -> TrackingCookie.Atdmt : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc84.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@bfast[2].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10010.qit -> TrackingCookie.Bluestreak : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc86.txt -> TrackingCookie.Bluestreak : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10014.qit -> TrackingCookie.Bridgetrack : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10016.qit -> TrackingCookie.Burstnet : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10017.qit -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc87.txt -> TrackingCookie.Casalemedia : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10018.qit -> TrackingCookie.Centrport : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@clickbank[2].txt -> TrackingCookie.Clickbank : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@clickbank[2].txt -> TrackingCookie.Clickbank : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10029.qit -> TrackingCookie.Commission-junction : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10030.qit -> TrackingCookie.Coremetrics : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10031.qit -> TrackingCookie.Coremetrics : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10032.qit -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc91.txt -> TrackingCookie.Cpvfeed : No action taken.
C:\WINDOWS\Temp\Cookies\suzanne@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10034.qit -> TrackingCookie.Doubleclick : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc93.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10038.qit -> TrackingCookie.Falkag : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10039.qit -> TrackingCookie.Falkag : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc143.txt -> TrackingCookie.Falkag : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10040.qit -> TrackingCookie.Fastclick : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc96.txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc97.txt -> TrackingCookie.Findwhat : No action taken.
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10036.qit -> TrackingCookie.Hitbox : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10037.qit -> TrackingCookie.Hitbox : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc95.txt -> TrackingCookie.Hitbox : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc99.txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitslink : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Hitslink : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@kmpads[2].txt -> TrackingCookie.Kmpads : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc104.txt -> TrackingCookie.Kmpads : No action taken.
C:\WINDOWS\Temp\Cookies\suzanne@kmpads[2].txt -> TrackingCookie.Kmpads : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10047.qit -> TrackingCookie.Linksynergy : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10044.qit -> TrackingCookie.Liveperson : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc155.txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10048.qit -> TrackingCookie.Mediaplex : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc150.txt -> TrackingCookie.Mediaplex : No action taken.
C:\WINDOWS\Temp\Cookies\suzanne@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10059.qit -> TrackingCookie.Overture : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10060.qit -> TrackingCookie.Overture : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10061.qit -> TrackingCookie.Overture : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10062.qit -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10063.qit -> TrackingCookie.Pointroll : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10064.qit -> TrackingCookie.Qksrv : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc152.txt -> TrackingCookie.Qksrv : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10065.qit -> TrackingCookie.Questionmarket : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10067.qit -> TrackingCookie.Realtracker : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc122.txt -> TrackingCookie.Reliablestats : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10068.qit -> TrackingCookie.Revenue : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc153.txt -> TrackingCookie.Revenue : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10035.qit -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10015.qit -> TrackingCookie.Serving-sys : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10070.qit -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10072.qit -> TrackingCookie.Spylog : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc148.txt -> TrackingCookie.Starware : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10074.qit -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc126.txt -> TrackingCookie.Tacoda : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc81.txt -> TrackingCookie.Tacoda : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc82.txt -> TrackingCookie.Tacoda : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10075.qit -> TrackingCookie.Targetnet : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc127.txt -> TrackingCookie.Targetnet : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10076.qit -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10077.qit -> TrackingCookie.Trafficmp : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc128.txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10081.qit -> TrackingCookie.Tribalfusion : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc158.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10083.qit -> TrackingCookie.Valueclick : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10084.qit -> TrackingCookie.Valueclick : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10085.qit -> TrackingCookie.Valueclick : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\Suzanne\Cookies\suzanne@web-stat[1].txt -> TrackingCookie.Web-stat : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10087.qit -> TrackingCookie.Webtrendslive : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc123.txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Suzanne\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc140.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Suzanne\Local Settings\Temp\Cookies\suzanne@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10089.qit -> TrackingCookie.Zedo : No action taken.
C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10090.qit -> TrackingCookie.Zedo : No action taken.
C:\RECYCLER\S-1-5-21-3028267031-18038889-3999332092-1004\Dc68.txt -> TrackingCookie.Zedo : No action taken.
C:\WINDOWS\Temp\Cookies\suzanne@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\WINDOWS\invupd.exe -> Trojan.Imiserv.c : No action taken.
C:\WINDOWS\invupdate.exe -> Trojan.Imiserv.c : No action taken.


::Report end
  • 0

Advertisements

#2
cfa-ddg2
Posted 16 September 2006 - 10:46 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello cableguy! welcome to G2G! You've got a number of infections on the computer to include qoologic and L2M...the Ewido scan you ran found a lot of things, but you didn't have it set to quarantine them...we will do that in a bit. You also have a 'rogue' anti-spyware program on your computer...Spyware Remover (please see here: http://www.spywarewa...ti-spyware.htm).

1. You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, move the HJT download into this new location and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Copy the HijackThis.zip download to the new folder

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
Run HJT from now on from this new folder...

If required, look at this Hijackthis Folder Tutorial

2. Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

3. Download this file :http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe
Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

4. Post back with:
  • the ComboFix log
  • the HJT uninstall list
  • a new HJT log
If necessary, you can use multiple replies to post all the logs in their entirety (they may not fit in one reply...).
  • 0

#3
cableguy
Posted 18 September 2006 - 12:22 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
The spywarewarrior.com site is not available at the moment says try again later. What do you sugest?
  • 0

#4
cableguy
Posted 18 September 2006 - 12:41 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Ad-Aware SE Personal
Adobe Reader 7.0.8
airBridge
CardRd81
ccCommon
CCScore
Conexant HSF V92 56K Data Fax PCI Modem
CR2
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
ewido anti-spyware 4.0
GdiplusUpgrade
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows XP (KB896344)
Hoyle Solitaire
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
Internet Worm Protection
J2SE Runtime Environment 5.0
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
MediaTickets by OIN
Microsoft Entertainment Pack: The Puzzle Collection
Microsoft Office 97, Professional Edition
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Notifier
OTtBP
OTtBPSDK
overland
PCPitstop Panda AntiVirus Scan (remove only)
QuickTime
Santa's Workshop Screensaver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
SFR
SHASTA
Sierra Utilities
SKIN0001
SKINXSDK
SoundMAX
SPBBC
Spybot - Search & Destroy 1.4
SpywareRemover 3.6.0.3
Symantec
Symantec Script Blocking Installer
SymNet
The Weather Channel Desktop
TrojanHunter 4.6
University of Nebraska Screen Saver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VPRINTOL
Weather Services
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WIRELESS
Yahoo! Toolbar

There is another program on this pc I can't remove, DropSpam LifeStyle. Tried to uninstall from the web site but no luck. Any sugestions.
  • 0

#5
cableguy
Posted 18 September 2006 - 12:45 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe
These two links did not go anywhere, page could not be found.
  • 0

#6
cableguy
Posted 18 September 2006 - 12:50 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Here's the new Logfile of HijackThis v1.99.1
Scan saved at 1:47:24 PM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\dslifestyle\dslifestyle.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qhpal.exe
C:\WINDOWS\system32\pjtde.exe
C:\WINDOWS\system32\pjtde.exe
C:\WINDOWS\system32\pjtde.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inebraska.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pjtde.exe
F2 - REG:system.ini: UserInit=userinit.exe,aebhogh.exe
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DropSpam Lifestyle] "C:\Program Files\dslifestyle\dslifestyle.exe"
O4 - HKLM\..\Run: [xqhqey] C:\WINDOWS\system32\yydyeb.exe reg_run
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\startupmon.exe
O4 - HKLM\..\Run: [spywareremover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [unorf] C:\WINDOWS\system32\yydyeb.exe reg_run
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: __delete_on_reboot__q_h_p_a_l_._e_x_e_
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120629420108
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158336437468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\hrns0557e.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\p28q0cl5efq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

#7
cfa-ddg2
Posted 18 September 2006 - 01:10 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe
These two links did not go anywhere, page could not be found.


Both of those links work fine for me...I just checked them on my computer. It would be ideal if we can use combofix as it will take care of the L2M and qoologic at the same time...

If you have access to an uninfected computer I would go to one of the two links and copy the combofix file onto some removable media (CD, floppy, thumb drive), then copy it onto the infected computer and follow the prior instructions for it's use. If you cannot do this, let me know.

We'll deal with the DropSpam thing in a bit...but until we get rid of the L2M and qoologic infections you'll only get more malware installed on your computer.

WRT the SpywareRemover, it is listed as a rogue program (I'm not sure what's up with the SpywareWarrior site..it must be down). I would remove this program via the control panels add or remove programs.
  • 0

#8
cableguy
Posted 18 September 2006 - 03:22 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Not sure what WRT is but the SpywareRemover program is uninstalled.
ComboFix got rid of qoologic and look2me, I'm sure glad those are gone I was getting tired of fighting off all the pop ups. Thank you!
Here's the log file for ComboFix. :whistling:


Suzanne - 06-09-18 15:57:12.93 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Suzanne\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{2070A579-DED6-45A4-868D-770FFBDA529F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2070A579-DED6-45A4-868D-770FFBDA529F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2070A579-DED6-45A4-868D-770FFBDA529F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2070A579-DED6-45A4-868D-770FFBDA529F}\InprocServer32]
@="C:\\WINDOWS\\system32\\dqdskmgr.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\dnps0177e.dll
C:\WINDOWS\system32\dqdskmgr.dll
C:\WINDOWS\system32\hrns0557e.dll




((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\yydyeb.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\yydyeb.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\aebhogh.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-15 21:24 127488 ewrcq.dat.qoo
06-09-18 12:25 127488 yydyeb.exe.qoo
06-09-18 12:25 23552 aebhogh.exe.qoo
06-09-13 06:32 53 nnovqc.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\updrun.exe
C:\Program Files\Deskbar

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Suzanne\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Suzanne\My Documents\WNSXS~1\cmd.exe
C:\QooBox\Purity\Documents and Settings\Suzanne\My Documents\WNSXS~1\WNSXS~1
C:\QooBox\Purity\Program Files\SSEMBL~1
C:\QooBox\Purity\Program Files\SSEMBL~1\r?gsvr32.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-18 to 2006-09-18 ))))))))))))))))))))))))))))))))))


2006-09-17 14:48 233,867 -r--s---- C:\WINDOWS\system32\dvprpres.dll
2006-09-15 20:46 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-14 21:21 78,488 --a------ C:\WINDOWS\system32\XMD5.dll
2006-09-14 21:21 663,040 --a------ C:\WINDOWS\is-61RHQ.exe
2006-09-14 21:21 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2006-09-13 09:32 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-09-13 06:32 553 --a------ C:\WINDOWS\wukgv.dll
2006-09-13 06:27 181,497 --a------ C:\WINDOWS\yzd.exe
2006-09-12 08:49 114,541 --a------ C:\WINDOWS\icond.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-18 15:53 -------- d-------- C:\Program Files\SpywareRemover
2006-09-18 12:27 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-18 12:25 -------- d-a------ C:\Program Files\Common Files
2006-09-17 16:35 -------- d-------- C:\Program Files\ACW
2006-09-17 14:54 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-15 23:22 -------- d-------- C:\Documents and Settings\Suzanne\Application Data\TrojanHunter
2006-09-15 23:06 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-15 22:35 -------- d-------- C:\Program Files\PCPitstop
2006-09-15 21:48 -------- d-------- C:\Documents and Settings\Suzanne\Application Data\Sun
2006-09-15 21:47 -------- d-------- C:\Program Files\Java
2006-09-15 21:42 -------- d-------- C:\Program Files\Common Files\Java
2006-09-15 14:07 -------- d-------- C:\Program Files\Lavasoft
2006-09-15 14:07 -------- d-------- C:\Documents and Settings\Suzanne\Application Data\Lavasoft
2006-09-15 11:40 -------- d-------- C:\Program Files\Common Files\ufro
2006-09-15 09:17 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2006-09-13 23:07 -------- d-------- C:\Program Files\DropSpam
2006-09-13 21:55 -------- d-------- C:\Program Files\Internet Explorer
2006-09-13 21:51 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-13 21:50 -------- d-------- C:\Documents and Settings\Suzanne\Application Data\Microsoft
2006-09-13 09:02 -------- d-------- C:\Program Files\dslifestyle
2006-09-13 07:30 -------- d-------- C:\Documents and Settings\Suzanne\Application Data\SystemDoctor 2006 Free
2006-09-13 06:28 93634 --ahs---- C:\Program Files\Common Files\Yazzle1395OinUninstaller.exe
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 12:54 -------- d-------- C:\Program Files\Overland
2006-07-21 12:52 -------- d-------- C:\Program Files\HP
2006-07-21 12:51 5632 --a------ C:\Documents and Settings\Suzanne\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-06-22 00:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-22 00:06 1435648 --a------ C:\WINDOWS\system32\query.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"DropSpam Lifestyle"="\"C:\\Program Files\\dslifestyle\\dslifestyle.exe\""
"cmonitor"="C:\\Program Files\\SystemDoctor 2006 Free\\startupmon.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Suzanne.job

Completion time: Mon 09/18/2006 16:02:16.25
ComboFix.txt
  • 0

#9
cfa-ddg2
Posted 18 September 2006 - 07:34 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

Not sure what WRT is but the SpywareRemover program is uninstalled.
ComboFix got rid of qoologic and look2me, I'm sure glad those are gone I was getting tired of fighting off all the pop ups. Thank you!



WRT = 'With Regard To"...sorry for the abbreviation....

Now I need a new HJT log and we can continue....there will be more to do.
  • 0

#10
cableguy
Posted 18 September 2006 - 08:00 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Ok here it is. Also found a couple of new problems... when I R click MyComputer to access properties I get a rundll32.exe error. -- framedyn.dll was not found--
Also in system information there is no info, says "windows management files may be moved or missing".

Logfile of HijackThis v1.99.1
Scan saved at 8:50:07 PM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cscript.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\dslifestyle\dslifestyle.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inebraska.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DropSpam Lifestyle] "C:\Program Files\dslifestyle\dslifestyle.exe"
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\startupmon.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120629420108
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158336437468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

Advertisements

#11
cfa-ddg2
Posted 18 September 2006 - 10:10 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello cableguy....much better.

Let's finish cleaning the computer and then look into those issues you raise...

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Save it to your desktop, we will use it later...

2. I believe I see Ewido on your system...if this is true you can ignore the download instructions below...however make sure it is updated with the latest definitions and set up to quarantine as instructed (the last Ewido scan results you posted showed that you did not have it set up to quarantine found items!):

Next download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

3. Please re-open HiJackThis and choose scan only. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [DropSpam Lifestyle] "C:\Program Files\dslifestyle\dslifestyle.exe"
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\startupmon.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\System32\shdocvw.dll


Now close all windows other than HiJackThis, then click Fix Checked.

4. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\Program Files\dslifestyle
C:\Program Files\SystemDoctor 2006 Free


5. Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

6. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
7. Update Java and Remove old Java Versions
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.<== scroll down the list to find THIS entry
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Remove older Java Versions:
  • Close any programs you may have running - especially your web browser.
  • Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
Install latest Java Version:
  • From your desktop, double-click on jre-1_5_0_08-windows-i586-p to install the newest version.
8. Post the results of the ewido report scan, a new HJT log and let me know if your computer is having problems...
  • 0

#12
cableguy
Posted 19 September 2006 - 09:51 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
I performed all the steps as described; ewido found 5 infections and quarantined them. Everything seems to working great with regards to the pop-ups. :whistling: :help:
Still have the problems with "My Computer" properties an system information as I described in the last post. :blink:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:37:01 PM 9/19/2006

+ Scan result:



C:\WINDOWS\system32\dvprpres.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Purity\Documents and Settings\Suzanne\My Documents\WNSXS~1\cmd.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\QooBox\aebhogh.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\ewrcq.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\yydyeb.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:51:14 PM, on 9/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inebraska.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120629420108
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158336437468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

#13
cableguy
Posted 19 September 2006 - 10:15 PM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
I have a small network and is it possible that with what we found on this computer would it infect the others on the network?
  • 0

#14
cfa-ddg2
Posted 19 September 2006 - 10:25 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello cableguy....

Regarding the 'network', I'd have to say it's possible.....check out this reference regarding one of the files I'm having you delete below:

http://64.233.167.10...lient=firefox-a


It states is can spread via 'network shares'....

I would recommend that you check HJT logs on all the computers on the network. Do not post them in this thread, but if you have concerns open a new topic for each machine...it'll keep everyone from getting confused!

The HJT appears 'clean'...good job! A bit more cleaning to do, and then we'll look at the My Computer issue...but that sounds weird...I need to check a few things:

1. Please delete these folders using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\Program Files\Common Files\ufro


2. Please delete these files using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:

C:\WINDOWS\system32\SpOrder.dll
C:\WINDOWS\wukgv.dll
C:\WINDOWS\yzd.exe
C:\WINDOWS\icond.exe
C:\Program Files\Common Files\Yazzle1395OinUninstaller.exe



3. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
4. Post the contents of the ActiveScan report, the HJT uninstall list and a new HJT log.....
  • 0

#15
cfa-ddg2
Posted 19 September 2006 - 10:32 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
OK....here is what I find about the My Computer system information and framedyn.dll problem...see if it helps:

http://support.micro...kb;en-us;319114

Sounds like what is going on on your machine.....
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP