Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help Im under attack

Started by JGinIL , Apr 30 2005 05:43 PM

  • Please log in to reply

#1
JGinIL
Posted 30 April 2005 - 05:43 PM

JGinIL

    New Member

  • Member
  • Pip
  • 8 posts
PLease I know that Im supposed to post a HJT log here but I cant download anything without the ipassist thing overringing the page. I know where it is and how to get rid of it but it keeps coming back. It is also a popup from IE so I cant stop this. Please help.
  • 0

Advertisements

#2
Wizard
Posted 30 April 2005 - 05:49 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
What System are you running and what exactly is it that you know where it is and can delete it?

What AV and other cleaning Programs are Installed?

Lets see if I can get you to the State where you can atleast Download something!
  • 0

#3
JGinIL
Posted 30 April 2005 - 06:10 PM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Im running XP. I found the srchast file and could not delete or get rid of it. I have SpySubtract, AlertSpy and Window SP2.
  • 0

#4
JGinIL
Posted 30 April 2005 - 06:36 PM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Finally got a download of HJT to work. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:54 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SVCHOST.EXE
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\xdakcjx.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\AlertSpy\AlertSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Ad-Protect] C:\Program Files\Ad-Protect\ad-protect.exe /s
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SVCHOST.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [ttbuvq] c:\windows\system32\xdakcjx.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{97392C4C-5EB0-402E-AAEC-184C9266E017}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\sp
  • 0

#5
Wizard
Posted 30 April 2005 - 08:00 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,That was only half the log but still a start!!!

Go to Add\Remove Programs and Remove these:

Webshots
AlertSpy
SpyFighter
Media Access
Ad-Protect
Security IGuard
Virtual Maid
Search Maid

After any removals,Restart the PC for the changes to take!

Now,to create a permanent folder for HijackThis:

Right Click the Desktop>>Select New>>Folder>>Name it whatever you want!

Locate the HijackThis Zip Folder and Place it in the new folder and make sure to Unzip it and Extract All Files!

Do whatever you have to to Disable SpySubtracts,Venus Spytrap if its enabled,there should be an Icon in the Taskbar,near the clock that you can right click and disbale it!

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.
This will restore the original deleted Hosts file.

Use the link below and follow the Instructions just as they are laid out:
http://forums.subrat...?showtopic=3466

Once both Kaspersky and Microsoft AntiSpyware are Downloaded,Installed and Updated,just as described in the link!

Restart in Safe Mode,once in Safe Mode,Just Open both Kaspersky and Microsoft AntiSpyware but dont run them yet!

Right Click the TaskBar and Select TaskManager,once its open Click Processes,under Processes,locate:

Rundll32.exe <<<Right Click and Select End Process

Explorer.exe <<<Right Click and Select End Process
When you kill the explorer process,The Taskbar and Desktop will disappear,this is normal so dont panic!

Once those processes are killed,Scan the PC with Kaspersky and Delete all it finds!

Once Kaspersky is done,close it out and Scan the PC with Microsoft Antispyware and delete all it finds!

Close out Microsoft Antispyware and go to the TaskManager and Select Shut Down,Choose to Restart in Normal Mode!

Once back in Normal Mode,Scan the PC with Both again and Delete all they find!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!
Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Once Restarted,Scan the PC with HijackThis again and Post those results!

Make sure to post the entire HijackThis log!
  • 0

#6
JGinIL
Posted 01 May 2005 - 08:10 PM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
This took all day literally. I did not find Virtual Maid or Search Maid. I only found Media Access, Ad-Protect, Security IGuard in the Reg files. Deleted them. At long last here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:51 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#7
Wizard
Posted 02 May 2005 - 02:38 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,that got rid of alot of nasties!!!

Please download SpSeHjfix from:
http://www.trojaner-...gi?file=sphjfix
Download it to the New Folder you created!
Unzip and Extract all Files!

Close any open programs!!!
Run SpSeHjfix and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.

Once rebooted, run SpSeHjfix again and Save that log

Restart in Safe Mode and Repeat the Procedure again,when it restarts the PC,restart back in Safe Mode again and run it once more!

Make sure all 4 logs are saved in the new folder!

Once completed,Restart Normal,Post all 4 logs along with a fresh HijackThis log!
  • 0

#8
JGinIL
Posted 03 May 2005 - 11:15 AM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK that was painless. I was never prompted to reboot after the first disinfection was that ok? Anyway here are all five logs:



(5/3/05 10:41:07 AM) SPSeHjFix started v1.1.2
(5/3/05 10:41:07 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 10:41:07 AM) Language: english
(5/3/05 10:41:07 AM) Win-Path: C:\WINDOWS
(5/3/05 10:41:07 AM) System-Path: C:\WINDOWS\system32
(5/3/05 10:41:07 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 10:56:54 AM) Disinfection started
(5/3/05 10:56:55 AM) Bad-Dll(IEP): (not found)
(5/3/05 10:56:55 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 10:56:57 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 10:56:57 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 10:56:57 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/3/05 10:56:57 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/3/05 10:56:57 AM) Stealth-String not found
(5/3/05 10:56:58 AM) File added to delete: c:\docume~1\test\locals~1\temp\se.dll
(5/3/05 10:56:58 AM) Reboot


SHJ.2


(5/3/05 11:12:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:12:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:12:24 AM) Language: english
(5/3/05 11:12:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:12:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:12:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:12:25 AM) Disinfection started
(5/3/05 11:12:25 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:12:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:12:26 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:12:26 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:12:26 AM) Bad IE-pages: (none)
(5/3/05 11:12:26 AM) Stealth-String not found
(5/3/05 11:12:26 AM) Not infected->END


(5/3/05 11:15:33 AM) SPSeHjFix started v1.1.2
(5/3/05 11:15:33 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:15:33 AM) Language: english
(5/3/05 11:15:33 AM) Win-Path: C:\WINDOWS
(5/3/05 11:15:33 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:15:33 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:15:35 AM) Disinfection started
(5/3/05 11:15:35 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:15:35 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:15:35 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:15:35 AM) UBF: 8 - UBB: 8 - UBR: 18
(5/3/05 11:15:35 AM) Bad IE-pages: (none)
(5/3/05 11:15:35 AM) Stealth-String not found
(5/3/05 11:15:35 AM) Not infected->END


SHJ.3


(5/3/05 11:19:56 AM) SPSeHjFix started v1.1.2
(5/3/05 11:19:56 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:19:56 AM) Language: english
(5/3/05 11:19:56 AM) Win-Path: C:\WINDOWS
(5/3/05 11:19:56 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:19:56 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:19:59 AM) Disinfection started
(5/3/05 11:19:59 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:19:59 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) Bad IE-pages: (none)
(5/3/05 11:19:59 AM) Stealth-String not found
(5/3/05 11:19:59 AM) Not infected->END


(5/3/05 11:21:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:21:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:21:24 AM) Language: english
(5/3/05 11:21:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:21:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:21:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:21:26 AM) Disinfection started
(5/3/05 11:21:26 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:21:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) Bad IE-pages: (none)
(5/3/05 11:21:26 AM) Stealth-String not found
(5/3/05 11:21:26 AM) Not infected->END


SHJ.4


(5/3/05 11:19:56 AM) SPSeHjFix started v1.1.2
(5/3/05 11:19:56 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:19:56 AM) Language: english
(5/3/05 11:19:56 AM) Win-Path: C:\WINDOWS
(5/3/05 11:19:56 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:19:56 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:19:59 AM) Disinfection started
(5/3/05 11:19:59 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:19:59 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:19:59 AM) Bad IE-pages: (none)
(5/3/05 11:19:59 AM) Stealth-String not found
(5/3/05 11:19:59 AM) Not infected->END


(5/3/05 11:21:24 AM) SPSeHjFix started v1.1.2
(5/3/05 11:21:24 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:21:24 AM) Language: english
(5/3/05 11:21:24 AM) Win-Path: C:\WINDOWS
(5/3/05 11:21:24 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:21:24 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:21:26 AM) Disinfection started
(5/3/05 11:21:26 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:21:26 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:21:26 AM) Bad IE-pages: (none)
(5/3/05 11:21:26 AM) Stealth-String not found
(5/3/05 11:21:26 AM) Not infected->END


(5/3/05 11:23:53 AM) SPSeHjFix started v1.1.2
(5/3/05 11:23:53 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:23:53 AM) Language: english
(5/3/05 11:23:53 AM) Win-Path: C:\WINDOWS
(5/3/05 11:23:53 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:23:53 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:23:55 AM) Disinfection started
(5/3/05 11:23:55 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:23:55 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:23:55 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:23:55 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:23:55 AM) Bad IE-pages: (none)
(5/3/05 11:23:55 AM) Stealth-String not found
(5/3/05 11:23:55 AM) Not infected->END


(5/3/05 11:40:18 AM) SPSeHjFix started v1.1.2
(5/3/05 11:40:18 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/3/05 11:40:18 AM) Language: english
(5/3/05 11:40:18 AM) Win-Path: C:\WINDOWS
(5/3/05 11:40:18 AM) System-Path: C:\WINDOWS\system32
(5/3/05 11:40:18 AM) Temp-Path: C:\DOCUME~1\THEGLA~1\LOCALS~1\Temp\
(5/3/05 11:40:20 AM) Disinfection started
(5/3/05 11:40:20 AM) Bad-Dll(IEP): (not found)
(5/3/05 11:40:20 AM) Bad-Dll(IEP) in BHO: (not found)
(5/3/05 11:40:20 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:40:20 AM) UBF: 8 - UBB: 8 - UBR: 19
(5/3/05 11:40:20 AM) Bad IE-pages: (none)
(5/3/05 11:40:20 AM) Stealth-String not found
(5/3/05 11:40:20 AM) Not infected->END


HJT.2
Logfile of HijackThis v1.99.1
Scan saved at 12:04:01 PM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

JUST A NOTE: this is working fewer issassist popups and fewer popups in general.
  • 0

#9
Wizard
Posted 05 May 2005 - 04:39 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry about the delay,been a real busy week!!!

Go to Add\Remove Programs and Remove:

AWS\WeatherBug

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0E290D49-D79E-4F49-9F76-4B1E95BE9FF1} - (no file)

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

O2 - BHO: (no name) - {3BF93901-B61F-29B1-8253-625578AB2F44} - (no file)

O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)

O4 - HKLM\..\Run: [mzkmdn] c:\windows\system32\gztdtl.exe

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O9 - Extra button: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9BE0366-DC14-45F7-A884-94DC800F36DE} - (no file) (HKCU)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} -

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} -

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -

O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} -

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Once in Safe Mode,Search the System for these:

C:\wp.exe<< File Only!!!

C:\wp.bmp<< File Only!!!

C:\Windows\sites.ini<< File Only!!!

C:\Windows\popuper.exe<< File Only!!!

C:\Windows\System32\helper.exe<< File Only!!!

C:\Windows\System32\intmonp.exe<< File Only!!!

C:\Windows\System32\msmsgs.exe<< File Only!!!

C:\Windows\System32\ole32vbs.exe<< File Only!!!

C:\Windows\system32\msole32.exe<< File Only!!!

C:\Windows\system32\WLDR.DLL<< File Only!!!

C:\Windows\system32\gztdtl.exe<< File Only!!!

C:\Program Files\AWS<<< Folder!!

Once Completed,Restart Normal,Have the PC Scanned here:
http://www.pandasoft...n_principal.htm

You will have to using Internet Explorer for the Scan to work!!
Please save the Report it generates and Post it here with a fresh HijackThis log!!

Edited by Cretemonster, 05 May 2005 - 04:43 AM.

  • 0

#10
JGinIL
Posted 06 May 2005 - 09:06 PM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK I was not able to download ActiveScan but I was able to complete everything else. Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:18 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\TheGlaums\Desktop\FixIt File\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft word\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#11
Wizard
Posted 13 May 2005 - 08:29 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I apologize for taking so long to get back to you,Buisness pulled me out of town for a week!!!

So,please update me and go from there!!
  • 0

#12
JGinIL
Posted 14 May 2005 - 04:38 PM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok well the last log is up and so far I have not had any problems with popups, pop behinds, ads, spam or anything else. So far the case seems resolved except if you see something else in HJT log.
  • 0

#13
Wizard
Posted 14 May 2005 - 06:08 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Just fix this one entry with HijackThis:

O2 - BHO: (no name) - {666DD6B1-D6C5-483E-ABD5-00874AF99FDB} - C:\WINDOWS\system32\odac.dll (file missing)

If you like,go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Disable System Restore:
http://service1.syma...src=sec_doc_nam

Once Disabled,Restart the PC and go back and Enable it!

This will flush all old restore points and create a new one that you can fall back on if you need it!!

The Kaspersky trial will run out after 30 Days,so if you would like some links to some Free Antivirus Software,just let me know!!!

We can do some other things also to ease the load of the PC if ya like!

You let me know what else I can do to Help and I will be more than happy to do what I can!!!
  • 0

#14
JGinIL
Posted 15 May 2005 - 09:48 AM

JGinIL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks so much. Yes I need something to keep these buggers away and I didnt know my PC was loaded lets fix that too.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP