Edited by vweekley, 21 April 2005 - 09:47 PM.
hotoffers.info wont go away!
Started by
vweekley
, Apr 13 2005 09:44 AM
-
This topic is locked
#16
Posted 21 April 2005 - 09:29 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
#17
Posted 21 April 2005 - 09:32 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ElitebarBHO Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IEHijacker.Hotoffers Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "avenue media Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "vendor Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "dealhelper Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "autoloader Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gogotoolssilawo19pi.exe infected by "not-a-virus:AdWare.ToolBar.GogoTools.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\GSM2.exe infected by "Trojan.Win32.VB.ux" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp1.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp2.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3A.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3C7.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp4C.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp99.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0006.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0015.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ElitebarBHO Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IEHijacker.Hotoffers Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "avenue media Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "vendor Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "dealhelper Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "autoloader Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gogotoolssilawo19pi.exe infected by "not-a-virus:AdWare.ToolBar.GogoTools.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\GSM2.exe infected by "Trojan.Win32.VB.ux" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp1.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp2.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3A.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3C7.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp4C.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp99.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0006.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0015.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken.
Edited by vweekley, 21 April 2005 - 09:46 PM.
#18
Posted 21 April 2005 - 11:33 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
We'll use some clean-up tools first - if you already have any of these and you are sure they are the latest version then just skip and move on to the next one.
Click here to download Spybot Search & Destroy v1.3 - install, update, scan and fix all RED items it finds. Reboot when done.
Click here to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?". Reboot when done.
Click here to download Microsoft AntiSpyware Beta, check for updates and run it. Reboot when done.
Rescan with mwav and post the results here again here so that any remnants can be removed manually.
Click here to download Spybot Search & Destroy v1.3 - install, update, scan and fix all RED items it finds. Reboot when done.
Click here to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?". Reboot when done.
Click here to download Microsoft AntiSpyware Beta, check for updates and run it. Reboot when done.
Rescan with mwav and post the results here again here so that any remnants can be removed manually.
#19
Posted 22 April 2005 - 04:17 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
ok here is the new log after doing wha you mentioned above
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gogotoolssilawo19pi.exe infected by "not-a-virus:AdWare.ToolBar.GogoTools.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\GSM2.exe infected by "Trojan.Win32.VB.ux" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp2.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3A.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3C7.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp4C.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp99.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0006.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0015.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THIF33.tmp\ceres.cab infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken.
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gogotoolssilawo19pi.exe infected by "not-a-virus:AdWare.ToolBar.GogoTools.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\GSM2.exe infected by "Trojan.Win32.VB.ux" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp2.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3A.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp3C7.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp4C.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\drp99.tmp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0006.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ptf_0015.exe infected by "not-a-virus:AdWare.Pacer.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THIF33.tmp\ceres.cab infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken.
#20
Posted 22 April 2005 - 04:22 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file to your desktop.
Start Killbox and click on Tools->Delete Temp Files. When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp2.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp3.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp3A.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp3C7.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp4C.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp99.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\ptf_0006.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\ptf_0015.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\THIF33.tmp\ceres.cab
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\uninstall.exe
C:\WINDOWS\System32\dist001.exe
C:\WINDOWS\System32\gogotoolssilawo19pi.exe
C:\WINDOWS\System32\GSM2.exe
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\wldr.dll
For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Reboot if it doesn't do so automatically. Post a new mwav scan and HJT log in your next reply.
Start Killbox and click on Tools->Delete Temp Files. When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp2.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp3.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp3A.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp3C7.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp4C.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\drp99.tmp\thnall2c.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\ptf_0006.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\ptf_0015.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\THIF33.tmp\ceres.cab
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\uninstall.exe
C:\WINDOWS\System32\dist001.exe
C:\WINDOWS\System32\gogotoolssilawo19pi.exe
C:\WINDOWS\System32\GSM2.exe
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\wldr.dll
For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Reboot if it doesn't do so automatically. Post a new mwav scan and HJT log in your next reply.
#21
Posted 22 April 2005 - 05:03 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
Logfile of HijackThis v1.99.1
Scan saved at 6:00:46 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.addictinggames.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.addictinggames.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A56C14-9B2D-4BA7-9622-5A65B7C772E4}: NameServer = 216.167.161.35 216.167.161.36
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 6:00:46 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.addictinggames.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.addictinggames.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A56C14-9B2D-4BA7-9622-5A65B7C772E4}: NameServer = 216.167.161.35 216.167.161.36
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
#22
Posted 22 April 2005 - 05:22 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
OK you are clean - has the problem been resolved?
#23
Posted 22 April 2005 - 05:25 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
the pop ups have gone away but i still cant do anything about my desktop background and the option for desktop isnt on the display properties anymore
#24
Posted 22 April 2005 - 05:27 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
Yes, this seems to be happening a lot with this pest. Let me look into it some more and I'll get back to you.
#26
Posted 23 April 2005 - 01:21 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
still no display option
#27
Posted 23 April 2005 - 01:46 PM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
Click here to download and install Registrar Lite. Double click the purple Registrar Lite icon on your desktop. Copy the line below and paste it into the "Address" field (located at the top) of the program:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Click the "Go" button and it will take you into the "Policies" folder. Locate the "System" folder (in the right panel), if found, right-click on the System folder and go to Delete
Be very careful that you only delete the System folder that is inside the Policies folder.
Reboot your computer again.
Let me know.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Click the "Go" button and it will take you into the "Policies" folder. Locate the "System" folder (in the right panel), if found, right-click on the System folder and go to Delete
Be very careful that you only delete the System folder that is inside the Policies folder.
Reboot your computer again.
Let me know.
#28
Posted 25 April 2005 - 09:25 PM
vweekley
- Topic Starter
-
- Member
-
- 29 posts
Member
all fixed!! thanks a million!
#29
Posted 26 April 2005 - 12:03 AM
Daemon
-
- Retired Staff
-
- 4,356 posts
Security Expert
You're welcome - glad to help 
To help keep you clean follow the recommendations in Tony's article here:
So how did I get infected in the first place?
As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
To help keep you clean follow the recommendations in Tony's article here:
So how did I get infected in the first place?
As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
