Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Hijack Log


  • This topic is locked This topic is locked

#1
HELP!!

HELP!!

    Member

  • Member
  • PipPip
  • 46 posts
here is my log


Logfile of HijackThis v1.99.1
Scan saved at 10:54:37 PM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\WINDOWS\System32\ipinav.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\0nyyc5ib\82287776.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\system32\xppheyf.exe
C:\Documents and Settings\vargas\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [srdifsaw] c:\windows\system32\srdifsaw.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe
O4 - HKLM\..\Run: [0nyyc5ib] C:\Program Files\0nyyc5ib\0nyyc5ib.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ipinav.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [bqqavn] c:\windows\system32\xppheyf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\Documents and Settings\vargas\Desktop\freescan.exe -FastScan
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
BUMP please help.
  • 0

#3
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

As soon as you have gotten the update, I will be happy to help you! :tazz:
  • 0

#4
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:41:35 PM, on 4/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\WINDOWS\System32\ipinav.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\lrfvmro.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\0nyyc5ib\82287776.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\vargas\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [srdifsaw] c:\windows\system32\srdifsaw.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe
O4 - HKLM\..\Run: [0nyyc5ib] C:\Program Files\0nyyc5ib\0nyyc5ib.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ipinav.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [uesejt] c:\windows\system32\lrfvmro.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\Documents and Settings\vargas\Desktop\freescan.exe -FastScan
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#5
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
you still haven't applied the Service Pack 1 update. I need you to do that before I can help you!
  • 0

#6
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:49:55 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\WINDOWS\System32\ipinav.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
c:\windows\system32\kcrezep.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\0nyyc5ib\82287776.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\vargas\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [srdifsaw] c:\windows\system32\srdifsaw.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe
O4 - HKLM\..\Run: [0nyyc5ib] C:\Program Files\0nyyc5ib\0nyyc5ib.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ipinav.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [lyaqlms] c:\windows\system32\kcrezep.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\Documents and Settings\vargas\Desktop\freescan.exe -FastScan
O4 - Global Startup: rkrt.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#7
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok great! Let's get you cleaned up! While I write out the instructions for the first part of the clean up, I need you to UNZIP HijackThis using a free program like WinZip. Then, move HJT to a permanent folder, such as C:\HJT or something. If you don't do this, it won't save backups.

I'll be back in a moment with further instructions.
  • 0

#8
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode.
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Open HijackThis
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

There will also be an item towards the bottom of the O4 section in HijackThis (it should be the last O4 item marked "HKLM", and it should be between the entries for dumprep and msn messenger). This item will be marked with "garbage" random characters. However, it seems to be renaming itself so the name will most likely be different by the time you follow these directions. In your previous log it was:

O4 - HKLM\..\Run: [lyaqlms] c:\windows\system32\kcrezep.exe

Whatever the name of the item is, check it. Then close all open windows except for HijackThis and click Fix Checked.

Then delete the file listed in the random O4 entry. In the above example you would delete
c:\windows\system32\kcrezep.exe

Restart your computer

Scan the computer here:
http://www.ewido.net/en/
Let it do a full run, than copy the log. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

Post back here with a fresh log using HijackThis and both of the scan results.


*There will be a couple of other steps to take after this!
  • 0

#9
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:37:58 PM, 4/28/2005
+ Report-Checksum: B3C4DBFF

+ Date of database: 4/29/2005
+ Version of scan engine: v3.0

+ Duration: 22 min
+ Scanned Files: 32057
+ Speed: 23.68 Files/Second
+ Infected files: 32
+ Removed files: 32
+ Files put in quarantine: 32
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrt.exe -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@ehg-stampsdotcom.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Cookies\vargas@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\vargas\Local Settings\Temporary Internet Files\Content.IE5\8HEFWDYV\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\vargas\Local Settings\Temporary Internet Files\Content.IE5\MXINO9E9\Bolger[1].dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\vargas\Local Settings\Temporary Internet Files\Content.IE5\MXINO9E9\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\42D07419-04CF-4A62-9759-E9684A\47596B7A-D420-44D1-87F0-5BC925 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\2FA18CCE-69B2-42F5-B9BD-4AC5E7 -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\3787C4CF-C8F0-4C2F-A895-31601E -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\3E9218CF-F589-492E-B1A0-013F0A -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\51A72C8A-C9E2-46CA-90D4-D01222 -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\888929A1-52E3-46C6-9C6F-16E0CB -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\AA223B35-7380-43BC-B1A6-150F9D -> TrojanDownloader.Qoologic.l -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8904C328-450B-4EBA-B5FB-C24EC8\C0975517-F635-4310-95B0-E33CD6 -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\temporary\aun_0001.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MXINO9E9\protector_update[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\dkdao.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINDOWS\system32\dndoxbo.exe -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINDOWS\system32\ipinav.exe -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\WINDOWS\system32\qicvdm.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\wawvg.dat -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__sisgetg.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINDOWS\vxqnudstic.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End


and the hijack log
Logfile of HijackThis v1.99.1
Scan saved at 9:39:45 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\0nyyc5ib\82287776.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\48.exe
C:\Documents and Settings\vargas\My Documents\LimeWire\LimeWire.exe
C:\Documents and Settings\vargas\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [srdifsaw] c:\windows\system32\srdifsaw.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe
O4 - HKLM\..\Run: [0nyyc5ib] C:\Program Files\0nyyc5ib\0nyyc5ib.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\Documents and Settings\vargas\Desktop\freescan.exe -FastScan
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\vargas\My Documents\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Did you follow all the steps above exactly as outlined?? The nail.exe should have been completely removed if you completed them as specified. One thing I notice is you have LimeWire installed. We highly recommend uninstalling such programs, as they are 99% of the time the reason you got infected to begin with, and will continue to infect you over and over.
Let me know if you copied the text in that post and ran it, and also about the removal of the HJT entries specified. There is also a Q00logic infection showing up in your Ewido scan which needs to be addressed.
  • 0

Advertisements


#11
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
okay so I should do the steps again? And should I uninstal limwire?
  • 0

#12
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
I honestly would uninstall LimeWire. It wouldn't hurt to do those steps again, leaving out the Ewido scan. I also have an Expert taking a peek to help me make sure the next step we take is the correct one.
  • 0

#13
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Okay thank you, I'll remove LimeWire
  • 0

#14
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:
C:\WINDOWS\Nail.exe
C:\WINDOWS\Bolger.dll
c:\windows\system32\srdifsaw.exe
C:\windows\system32\elitenrv32.exe
C:\Program Files\0nyyc5ib\0nyyc5ib.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

After you have done this process and have rebooted....

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if still present in the new log).
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O4 - HKLM\..\Run: [srdifsaw] c:\windows\system32\srdifsaw.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe
O4 - HKLM\..\Run: [0nyyc5ib] C:\Program Files\0nyyc5ib\0nyyc5ib.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\Documents and Settings\vargas\Desktop\freescan.exe -FastScan
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\vargas\My Documents\LimeWire\LimeWire.exe
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):
LimeWire
SpywareBeGone
**This program is in fact not a legit SPyware Removal program. It is found on the "Rogue" program list. For more information, see http://www.spywarewa...nti-spyware.htm

Please delete these folders using Windows Explorer(if present):
C:\Documents and Settings\vargas\My Documents\LimeWire


Now reboot your machine, and open HJT. Scan for a new log and paste it here in a reply
  • 0

#15
HELP!!

HELP!!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I couldn't find Spywarebegone in add/remove programs.

Logfile of HijackThis v1.99.1
Scan saved at 11:24:44 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\vargas\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {10C2015A-F1C9-4C70-9715-3BAC926D6C56} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F626A38-B7A3-45A8-B3E5-48902C231497}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP