Help Im under attack
Started by
JGinIL
, Apr 30 2005 05:43 PM
#1
Posted 30 April 2005 - 05:43 PM
#2
Posted 30 April 2005 - 05:49 PM
What System are you running and what exactly is it that you know where it is and can delete it?
What AV and other cleaning Programs are Installed?
Lets see if I can get you to the State where you can atleast Download something!
What AV and other cleaning Programs are Installed?
Lets see if I can get you to the State where you can atleast Download something!
#3
Posted 30 April 2005 - 06:10 PM
Im running XP. I found the srchast file and could not delete or get rid of it. I have SpySubtract, AlertSpy and Window SP2.
#4
Posted 30 April 2005 - 06:36 PM
Finally got a download of HJT to work. Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 7:29:54 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SVCHOST.EXE
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\xdakcjx.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\AlertSpy\AlertSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Ad-Protect] C:\Program Files\Ad-Protect\ad-protect.exe /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SVCHOST.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [ttbuvq] c:\windows\system32\xdakcjx.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\sp
Logfile of HijackThis v1.99.1
Scan saved at 7:29:54 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SVCHOST.EXE
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\xdakcjx.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\AlertSpy\AlertSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Ad-Protect] C:\Program Files\Ad-Protect\ad-protect.exe /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SVCHOST.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [ttbuvq] c:\windows\system32\xdakcjx.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\sp
#5
Posted 30 April 2005 - 08:00 PM
OK,That was only half the log but still a start!!!
Go to Add\Remove Programs and Remove these:
Webshots
AlertSpy
SpyFighter
Media Access
Ad-Protect
Security IGuard
Virtual Maid
Search Maid
After any removals,Restart the PC for the changes to take!
Now,to create a permanent folder for HijackThis:
Right Click the Desktop>>Select New>>Folder>>Name it whatever you want!
Locate the HijackThis Zip Folder and Place it in the new folder and make sure to Unzip it and Extract All Files!
Do whatever you have to to Disable SpySubtracts,Venus Spytrap if its enabled,there should be an Icon in the Taskbar,near the clock that you can right click and disbale it!
Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.
This will restore the original deleted Hosts file.
Use the link below and follow the Instructions just as they are laid out:
http://forums.subrat...?showtopic=3466
Once both Kaspersky and Microsoft AntiSpyware are Downloaded,Installed and Updated,just as described in the link!
Restart in Safe Mode,once in Safe Mode,Just Open both Kaspersky and Microsoft AntiSpyware but dont run them yet!
Right Click the TaskBar and Select TaskManager,once its open Click Processes,under Processes,locate:
Rundll32.exe <<<Right Click and Select End Process
Explorer.exe <<<Right Click and Select End Process
When you kill the explorer process,The Taskbar and Desktop will disappear,this is normal so dont panic!
Once those processes are killed,Scan the PC with Kaspersky and Delete all it finds!
Once Kaspersky is done,close it out and Scan the PC with Microsoft Antispyware and delete all it finds!
Close out Microsoft Antispyware and go to the TaskManager and Select Shut Down,Choose to Restart in Normal Mode!
Once back in Normal Mode,Scan the PC with Both again and Delete all they find!
Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!!
Click Apply>>OK>>Follow the Prompts to Restart!!
Once Restarted,Scan the PC with HijackThis again and Post those results!
Make sure to post the entire HijackThis log!
Go to Add\Remove Programs and Remove these:
Webshots
AlertSpy
SpyFighter
Media Access
Ad-Protect
Security IGuard
Virtual Maid
Search Maid
After any removals,Restart the PC for the changes to take!
Now,to create a permanent folder for HijackThis:
Right Click the Desktop>>Select New>>Folder>>Name it whatever you want!
Locate the HijackThis Zip Folder and Place it in the new folder and make sure to Unzip it and Extract All Files!
Do whatever you have to to Disable SpySubtracts,Venus Spytrap if its enabled,there should be an Icon in the Taskbar,near the clock that you can right click and disbale it!
Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.
This will restore the original deleted Hosts file.
Use the link below and follow the Instructions just as they are laid out:
http://forums.subrat...?showtopic=3466
Once both Kaspersky and Microsoft AntiSpyware are Downloaded,Installed and Updated,just as described in the link!
Restart in Safe Mode,once in Safe Mode,Just Open both Kaspersky and Microsoft AntiSpyware but dont run them yet!
Right Click the TaskBar and Select TaskManager,once its open Click Processes,under Processes,locate:
Rundll32.exe <<<Right Click and Select End Process
Explorer.exe <<<Right Click and Select End Process
When you kill the explorer process,The Taskbar and Desktop will disappear,this is normal so dont panic!
Once those processes are killed,Scan the PC with Kaspersky and Delete all it finds!
Once Kaspersky is done,close it out and Scan the PC with Microsoft Antispyware and delete all it finds!
Close out Microsoft Antispyware and go to the TaskManager and Select Shut Down,Choose to Restart in Normal Mode!
Once back in Normal Mode,Scan the PC with Both again and Delete all they find!
Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!!
Click Apply>>OK>>Follow the Prompts to Restart!!
Once Restarted,Scan the PC with HijackThis again and Post those results!
Make sure to post the entire HijackThis log!
#6
Posted 01 May 2005 - 08:10 PM
This took all day literally. I did not find Virtual Maid or Search Maid. I only found Media Access, Ad-Protect, Security IGuard in the Reg files. Deleted them. At long last here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:04:51 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Logfile of HijackThis v1.99.1
Scan saved at 9:04:51 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
#7
Posted 02 May 2005 - 02:38 AM
OK,that got rid of alot of nasties!!!
Please download SpSeHjfix from:
http://www.trojaner-...gi?file=sphjfix
Download it to the New Folder you created!
Unzip and Extract all Files!
Close any open programs!!!
Run SpSeHjfix and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.
Once rebooted, run SpSeHjfix again and Save that log
Restart in Safe Mode and Repeat the Procedure again,when it restarts the PC,restart back in Safe Mode again and run it once more!
Make sure all 4 logs are saved in the new folder!
Once completed,Restart Normal,Post all 4 logs along with a fresh HijackThis log!
Please download SpSeHjfix from:
http://www.trojaner-...gi?file=sphjfix
Download it to the New Folder you created!
Unzip and Extract all Files!
Close any open programs!!!
Run SpSeHjfix and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.
Once rebooted, run SpSeHjfix again and Save that log
Restart in Safe Mode and Repeat the Procedure again,when it restarts the PC,restart back in Safe Mode again and run it once more!
Make sure all 4 logs are saved in the new folder!
Once completed,Restart Normal,Post all 4 logs along with a fresh HijackThis log!
#8
Posted 03 May 2005 - 11:15 AM
OK that was painless. I was never prompted to reboot after the first disinfection was that ok? Anyway here are all five logs:
(5/3/05 10:41:07 AM) SPSeHjFix started v1.1.2
(5/3/05 10:41:07 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 10:41:07 AM) Language: english
(5/3/05 10:41:07 AM) Win-Path: C:\WINDOWS
(5/3/05 10:41:07 AM) System-Path: C:\WINDOWS\system32
(5/3/05 10:41:07 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 10:56:54 AM) Disinfection started
(5/3/05 10:56:55 AM) Bad-Dll(IEP): (not found)
(5/3/05 10:56:55 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 10:56:57 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 10:56:57 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 10:56:57 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/3/05 10:56:57 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/3/05 10:56:57 AM) Stealth-String not found
(5/3/05 10:56:58 AM) File added to delete: c:\docume~1\test\locals~1\temp\se.dll
(5/3/05 10:56:58 AM) Reboot
SHJ.2
(5/3/05 11:12:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:12:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:12:24 AM) Language: english
(5/3/05 11:12:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:12:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:12:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:12:25 AM) Disinfection started
(5/3/05 11:12:25 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:12:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:12:26 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:12:26 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:12:26 AM) Bad IE-pages: (none)
(5/3/05 11:12:26 AM) Stealth-String not found
(5/3/05 11:12:26 AM) Not infected->END
(5/3/05 11:15:33 AM) SPSeHjFix started v1.1.2
(5/3/05 11:15:33 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:15:33 AM) Language: english
(5/3/05 11:15:33 AM) Win-Path: C:\WINDOWS
(5/3/05 11:15:33 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:15:33 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:15:35 AM) Disinfection started
(5/3/05 11:15:35 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:15:35 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:15:35 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:15:35 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:15:35 AM) Bad IE-pages: (none)
(5/3/05 11:15:35 AM) Stealth-String not found
(5/3/05 11:15:35 AM) Not infected->END
SHJ.3
(5/3/05 11:19:56 AM) SPSeHjFix started v1.1.2
(5/3/05 11:19:56 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:19:56 AM) Language: english
(5/3/05 11:19:56 AM) Win-Path: C:\WINDOWS
(5/3/05 11:19:56 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:19:56 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:19:59 AM) Disinfection started
(5/3/05 11:19:59 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:19:59 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) Bad IE-pages: (none)
(5/3/05 11:19:59 AM) Stealth-String not found
(5/3/05 11:19:59 AM) Not infected->END
(5/3/05 11:21:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:21:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:21:24 AM) Language: english
(5/3/05 11:21:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:21:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:21:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:21:26 AM) Disinfection started
(5/3/05 11:21:26 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:21:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) Bad IE-pages: (none)
(5/3/05 11:21:26 AM) Stealth-String not found
(5/3/05 11:21:26 AM) Not infected->END
SHJ.4
(5/3/05 11:19:56 AM) SPSeHjFix started v1.1.2
(5/3/05 11:19:56 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:19:56 AM) Language: english
(5/3/05 11:19:56 AM) Win-Path: C:\WINDOWS
(5/3/05 11:19:56 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:19:56 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:19:59 AM) Disinfection started
(5/3/05 11:19:59 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:19:59 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) Bad IE-pages: (none)
(5/3/05 11:19:59 AM) Stealth-String not found
(5/3/05 11:19:59 AM) Not infected->END
(5/3/05 11:21:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:21:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:21:24 AM) Language: english
(5/3/05 11:21:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:21:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:21:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:21:26 AM) Disinfection started
(5/3/05 11:21:26 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:21:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) Bad IE-pages: (none)
(5/3/05 11:21:26 AM) Stealth-String not found
(5/3/05 11:21:26 AM) Not infected->END
(5/3/05 11:23:53 AM) SPSeHjFix started v1.1.2
(5/3/05 11:23:53 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:23:53 AM) Language: english
(5/3/05 11:23:53 AM) Win-Path: C:\WINDOWS
(5/3/05 11:23:53 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:23:53 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:23:55 AM) Disinfection started
(5/3/05 11:23:55 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:23:55 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:23:55 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:23:55 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:23:55 AM) Bad IE-pages: (none)
(5/3/05 11:23:55 AM) Stealth-String not found
(5/3/05 11:23:55 AM) Not infected->END
(5/3/05 11:40:18 AM) SPSeHjFix started v1.1.2
(5/3/05 11:40:18 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:40:18 AM) Language: english
(5/3/05 11:40:18 AM) Win-Path: C:\WINDOWS
(5/3/05 11:40:18 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:40:18 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:40:20 AM) Disinfection started
(5/3/05 11:40:20 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:40:20 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:40:20 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:40:20 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:40:20 AM) Bad IE-pages: (none)
(5/3/05 11:40:20 AM) Stealth-String not found
(5/3/05 11:40:20 AM) Not infected->END
HJT.2
Logfile of HijackThis v1.99.1
Scan saved at 12:04:01 PM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
JUST A NOTE: this is working fewer issassist popups and fewer popups in general.
(5/3/05 10:41:07 AM) SPSeHjFix started v1.1.2
(5/3/05 10:41:07 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 10:41:07 AM) Language: english
(5/3/05 10:41:07 AM) Win-Path: C:\WINDOWS
(5/3/05 10:41:07 AM) System-Path: C:\WINDOWS\system32
(5/3/05 10:41:07 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 10:56:54 AM) Disinfection started
(5/3/05 10:56:55 AM) Bad-Dll(IEP): (not found)
(5/3/05 10:56:55 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 10:56:57 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 10:56:57 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 10:56:57 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/3/05 10:56:57 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/3/05 10:56:57 AM) Stealth-String not found
(5/3/05 10:56:58 AM) File added to delete: c:\docume~1\test\locals~1\temp\se.dll
(5/3/05 10:56:58 AM) Reboot
SHJ.2
(5/3/05 11:12:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:12:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:12:24 AM) Language: english
(5/3/05 11:12:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:12:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:12:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:12:25 AM) Disinfection started
(5/3/05 11:12:25 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:12:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:12:26 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:12:26 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:12:26 AM) Bad IE-pages: (none)
(5/3/05 11:12:26 AM) Stealth-String not found
(5/3/05 11:12:26 AM) Not infected->END
(5/3/05 11:15:33 AM) SPSeHjFix started v1.1.2
(5/3/05 11:15:33 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:15:33 AM) Language: english
(5/3/05 11:15:33 AM) Win-Path: C:\WINDOWS
(5/3/05 11:15:33 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:15:33 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:15:35 AM) Disinfection started
(5/3/05 11:15:35 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:15:35 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:15:35 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:15:35 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:15:35 AM) Bad IE-pages: (none)
(5/3/05 11:15:35 AM) Stealth-String not found
(5/3/05 11:15:35 AM) Not infected->END
SHJ.3
(5/3/05 11:19:56 AM) SPSeHjFix started v1.1.2
(5/3/05 11:19:56 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:19:56 AM) Language: english
(5/3/05 11:19:56 AM) Win-Path: C:\WINDOWS
(5/3/05 11:19:56 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:19:56 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:19:59 AM) Disinfection started
(5/3/05 11:19:59 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:19:59 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) Bad IE-pages: (none)
(5/3/05 11:19:59 AM) Stealth-String not found
(5/3/05 11:19:59 AM) Not infected->END
(5/3/05 11:21:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:21:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:21:24 AM) Language: english
(5/3/05 11:21:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:21:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:21:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:21:26 AM) Disinfection started
(5/3/05 11:21:26 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:21:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) Bad IE-pages: (none)
(5/3/05 11:21:26 AM) Stealth-String not found
(5/3/05 11:21:26 AM) Not infected->END
SHJ.4
(5/3/05 11:19:56 AM) SPSeHjFix started v1.1.2
(5/3/05 11:19:56 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:19:56 AM) Language: english
(5/3/05 11:19:56 AM) Win-Path: C:\WINDOWS
(5/3/05 11:19:56 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:19:56 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:19:59 AM) Disinfection started
(5/3/05 11:19:59 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:19:59 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) Bad IE-pages: (none)
(5/3/05 11:19:59 AM) Stealth-String not found
(5/3/05 11:19:59 AM) Not infected->END
(5/3/05 11:21:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:21:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:21:24 AM) Language: english
(5/3/05 11:21:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:21:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:21:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:21:26 AM) Disinfection started
(5/3/05 11:21:26 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:21:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) Bad IE-pages: (none)
(5/3/05 11:21:26 AM) Stealth-String not found
(5/3/05 11:21:26 AM) Not infected->END
(5/3/05 11:23:53 AM) SPSeHjFix started v1.1.2
(5/3/05 11:23:53 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:23:53 AM) Language: english
(5/3/05 11:23:53 AM) Win-Path: C:\WINDOWS
(5/3/05 11:23:53 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:23:53 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:23:55 AM) Disinfection started
(5/3/05 11:23:55 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:23:55 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:23:55 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:23:55 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:23:55 AM) Bad IE-pages: (none)
(5/3/05 11:23:55 AM) Stealth-String not found
(5/3/05 11:23:55 AM) Not infected->END
(5/3/05 11:40:18 AM) SPSeHjFix started v1.1.2
(5/3/05 11:40:18 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:40:18 AM) Language: english
(5/3/05 11:40:18 AM) Win-Path: C:\WINDOWS
(5/3/05 11:40:18 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:40:18 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:40:20 AM) Disinfection started
(5/3/05 11:40:20 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:40:20 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:40:20 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:40:20 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:40:20 AM) Bad IE-pages: (none)
(5/3/05 11:40:20 AM) Stealth-String not found
(5/3/05 11:40:20 AM) Not infected->END
HJT.2
Logfile of HijackThis v1.99.1
Scan saved at 12:04:01 PM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
JUST A NOTE: this is working fewer issassist popups and fewer popups in general.
#9
Posted 05 May 2005 - 04:39 AM
Sorry about the delay,been a real busy week!!!
Go to Add\Remove Programs and Remove:
AWS\WeatherBug
Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!
Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam
After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62
Once in Safe Mode,Search the System for these:
C:\wp.exe<< File Only!!!
C:\wp.bmp<< File Only!!!
C:\Windows\sites.ini<< File Only!!!
C:\Windows\popuper.exe<< File Only!!!
C:\Windows\System32\helper.exe<< File Only!!!
C:\Windows\System32\intmonp.exe<< File Only!!!
C:\Windows\System32\msmsgs.exe<< File Only!!!
C:\Windows\System32\ole32vbs.exe<< File Only!!!
C:\Windows\system32\msole32.exe<< File Only!!!
C:\Windows\system32\WLDR.DLL<< File Only!!!
C:\Windows\system32\gztdtl.exe<< File Only!!!
C:\Program Files\AWS<<< Folder!!
Once Completed,Restart Normal,Have the PC Scanned here:
http://www.pandasoft...n_principal.htm
You will have to using Internet Explorer for the Scan to work!!
Please save the Report it generates and Post it here with a fresh HijackThis log!!
Go to Add\Remove Programs and Remove:
AWS\WeatherBug
Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!
Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam
After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62
Once in Safe Mode,Search the System for these:
C:\wp.exe<< File Only!!!
C:\wp.bmp<< File Only!!!
C:\Windows\sites.ini<< File Only!!!
C:\Windows\popuper.exe<< File Only!!!
C:\Windows\System32\helper.exe<< File Only!!!
C:\Windows\System32\intmonp.exe<< File Only!!!
C:\Windows\System32\msmsgs.exe<< File Only!!!
C:\Windows\System32\ole32vbs.exe<< File Only!!!
C:\Windows\system32\msole32.exe<< File Only!!!
C:\Windows\system32\WLDR.DLL<< File Only!!!
C:\Windows\system32\gztdtl.exe<< File Only!!!
C:\Program Files\AWS<<< Folder!!
Once Completed,Restart Normal,Have the PC Scanned here:
http://www.pandasoft...n_principal.htm
You will have to using Internet Explorer for the Scan to work!!
Please save the Report it generates and Post it here with a fresh HijackThis log!!
Edited by Cretemonster, 05 May 2005 - 04:43 AM.
#10
Posted 06 May 2005 - 09:06 PM
OK I was not able to download ActiveScan but I was able to complete everything else. Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:18 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Logfile of HijackThis v1.99.1
Scan saved at 10:05:18 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
#11
Posted 13 May 2005 - 08:29 PM
I apologize for taking so long to get back to you,Buisness pulled me out of town for a week!!!
So,please update me and go from there!!
So,please update me and go from there!!
#12
Posted 14 May 2005 - 04:38 PM
Ok well the last log is up and so far I have not had any problems with popups, pop behinds, ads, spam or anything else. So far the case seems resolved except if you see something else in HJT log.
#13
Posted 14 May 2005 - 06:08 PM
Just fix this one entry with HijackThis:
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
If you like,go ahead and Reconfigure Msconfig the way you like the PC to Startup!
Disable System Restore:
http://service1.syma...src=sec_doc_nam
Once Disabled,Restart the PC and go back and Enable it!
This will flush all old restore points and create a new one that you can fall back on if you need it!!
The Kaspersky trial will run out after 30 Days,so if you would like some links to some Free Antivirus Software,just let me know!!!
We can do some other things also to ease the load of the PC if ya like!
You let me know what else I can do to Help and I will be more than happy to do what I can!!!
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
If you like,go ahead and Reconfigure Msconfig the way you like the PC to Startup!
Disable System Restore:
http://service1.syma...src=sec_doc_nam
Once Disabled,Restart the PC and go back and Enable it!
This will flush all old restore points and create a new one that you can fall back on if you need it!!
The Kaspersky trial will run out after 30 Days,so if you would like some links to some Free Antivirus Software,just let me know!!!
We can do some other things also to ease the load of the PC if ya like!
You let me know what else I can do to Help and I will be more than happy to do what I can!!!
#14
Posted 15 May 2005 - 09:48 AM
Thanks so much. Yes I need something to keep these buggers away and I didnt know my PC was loaded lets fix that too.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users