[DaOptimist]

I have used Ad-Aware and Spybot and Trend Housecall and I have deleted my Temp files, but I am still having a problem with constant pop-ups. They seem to be non-stop. I am posting my HJT log in order to get some advice. I may have eliminated some of the above problems when I used Ad-Aware, etc., but the pop-ups are still popping up.

Thank you!

-DaOptimist

Logfile of HijackThis v1.99.1
Scan saved at 8:01:08 AM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\system\nsutksmr.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\TEMP\L175LQAj.exe
C:\Documents and Settings\Paul Villanueva\Local Settings\Temp\Temporary Directory 4 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [WinPatrol] "D:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitekbe32.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0029.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - D:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - D:\Program Files\Common Files\WinTools\WToolsS.exe

[Advertisements]

DaOptimist,

Sorry for the delayed reply, the board has been very busy lately.
If you are still looking to resolve this issue:

Please run through all the steps outlined in this Topic

Post back a new HijackThis log by using "Add Reply" to this thread.

If you have resolved this issue please let us know.

Thanks, and again sorry for the delayed reply,
rstones12

[rstones12]

DaOptimist,

Sorry for the delayed reply, the board has been very busy lately.
If you are still looking to resolve this issue:

Please run through all the steps outlined in this Topic

Post back a new HijackThis log by using "Add Reply" to this thread.

If you have resolved this issue please let us know.

Thanks, and again sorry for the delayed reply,
rstones12

[DaOptimist]

Here is my Ewido report and my latest HJT log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:36:35 AM, 5/27/2005
+ Report-Checksum: 31462966

+ Date of database: 5/27/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 119734
+ Speed: 50.02 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\WINDOWS\system32\n.dll -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 2:03:11 AM, on 5/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system\qjnffisel.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Paul Villanueva\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0029.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[rstones12]

DaOptimist,
Please read through these instructions before proceeding.

You are currently running HJT from a temporary location. Please create a folder on your C:\ drive and rename it something you will remember, such as C:\HJT. Move hijackthis.exe to that folder and run it from that location from now on. HJT creates a backup, it is needed in case of recovery issues.

Download CleanUp
Install the program, dont run it yet, we will later.

Download Pocket Killbox from HERE
Save it to your desktop.

Now close all browsers and open windows and open HJT.
Go to the Misc Tools | Open Process Manager

Click on the following entry:

C:\WINDOWS\system\qjnffisel.exe

Then click the Kill Process button
Close HJT.

Now open Killbox that you saved to your desktop.
Select the "Delete on Reboot" option.

Place the following line/path in the "Full Path of File to Delete" box.
C:\WINDOWS\system\qjnffisel.exe
Click the red button with the white X on it, killbox will present you with the option to delete the file, select Yes. It will then prompt you to reboot your system, select No

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot your system and post back a new HJT log by using Add Reply

Thanks,
rstones12

[DaOptimist]

Logfile of HijackThis v1.99.1
Scan saved at 1:21:14 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0029.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[DaOptimist]

Also, upon turning on the computer this morning, Ewido found an infected file:

My404.exe in C:\WINDOWS\

This keeps happening when I turn on the computer. How can I remove that completely?

Thank you!

DaOptimist

[rstones12]

DaOptimist,

In your last post the HJT log is incomplete, can you please post a complete HJT log and then we can tackle the my404.exe issue.

Thanks,
rstones12

[DaOptimist]

I just did another HJT scan. Here is the complete logfile from that scan. I am still geting the "My404.exe" and "Spyware.Hijacker.General" every time that I turn on the computer. Ewido supposedly blocks it, but it keeps reappearing.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:58 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[rstones12]

DaOptimist,

Please read these instructions before proceeding:

First update your Ewido application, don't scan just yet.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Now boot into SafeMode, you can do this by tapping the F8 key while your system restarts.

Once in SafeMode run the Ewido scan, this should take care of those two issues.
Make sure to save the log file of the Ewido scan and post it with your next response.

After the scan is done and you have saved the log file.

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot normally and post back a new HJT log by using Add Reply
Don't forget the log file from the Ewido scan as well.

Thanks,
rstones12

[DaOptimist]

Here are the logs. Ewido found the same 404.exe thingee though upon my rebooting the computer after being in safe mode. It appeared to delete it, but when I rebooted the computer, it found it again. It just won't go away. Maybe a hammer would fix this problem..............

Logfile of HijackThis v1.99.1
Scan saved at 6:00:47 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:41:49 PM, 5/29/2005
+ Report-Checksum: 59BEF37D

+ Date of database: 5/29/2005
+ Version of scan engine: v3.0

+ Duration: 84 min
+ Scanned Files: 122473
+ Speed: 24.18 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\Documents and Settings\Paul Villanueva\Local Settings\Temporary Internet Files\Content.IE5\R7K3DKXD\My404[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00016717.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00016765.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00016781.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system\rpalouc.exe -> TrojanDownloader.Small.aly -> Cleaned with backup


::Report End

[rstones12]

DaOptimist,

Let see if that file is still around:

First Open Internet Explorer and do the following:
Go to Tools | Internet Options
In the General Tab - Under Temporary Internet File click the Delete Files button.
A dialog box will open make sure to check the "Offline Content" check box.
Then click OK.

Empty your Recycle Bin.

Using Window Explorer search for and see if the file is present here.

C:\Windows\My404.exe

If that file is present, reboot into SafeMode and do the following:

Now open Killbox that you saved to your desktop.
Select the "Delete on Reboot" option.

Place the following line/path in the "Full Path of File to Delete" box.
C:\Windows\My404.exe
Click the red button with the white X on it, killbox will present you with the option to delete the file, select Yes. It will then prompt you to reboot your system, select No

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot and post back a new HJT log by using Add Reply

Thanks,
rstones12

[DaOptimist]

OK. I did what you said and I did NOT find

C:\WINDOWS\My404.exe

There was a

C:\WINDOWS|PREFETCH\My404.exe-301BE824.pf

file that was deleted when I ran CleanUp. I have run CleanUp several times over the past few days, but that file keeps reappearing so I am afraid that there may be something in the registry that tries to reload it. Anyway, I am posting the most recent HJT log below.

Thank you,
DaOptimist

Logfile of HijackThis v1.99.1
Scan saved at 9:44:53 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system\lsabpkk.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[rstones12]

DaOptimist,
Lets clean out the Prefetch Folder:

• In My Computer, double-click to open local disk.
• In Local Disk, double-click to open the Windows folder.
• In the Windows folder, locate locate the Prefetch folder and double-click it to open it.
• In the Prefetch folder, from the menu bar, click Edit and click Select All. This will select/highlight all of the contents in the folder.
• Again from the menu bar, click File and click Delete. This will move the entire contents of the prefetch folder to the Recycle Bin.
• Close all the open windows and right-click on the Recycle Bin and click Empty Recycle Bin. Click Yes on any message wishing to confirm your action.

Now open Killbox that you saved to your desktop.
Select the "Delete on Reboot" option.

Place the following line/path in the "Full Path of File to Delete" box.
C:\WINDOWS\system\lsabpkk.exe
Click the red button with the white X on it, killbox will present you with the option to delete the file, select Yes. It will then prompt you to reboot your system, select No

Run CleanUp again,
Reboot and post back a new HJT log by using Add Reply

This should clear out the message that ewido gives at StartUp.
If not we will have get the "hammer".

Thanks,
rstones12

[DaOptimist]

Got that hammer ready???????

I did as you advised. When I rebooted, the file still appeared. I then ran Ewido and CleanUp again and Ewido came up absolutely clean (which was a first since I installed it), but upon rebooting, the blasted file was still there and tagged and cleaned by Ewido.

Also, I had a TON of Pop-Ups this morning even when IE was not open. They are not here now that I ran the above programs.

Thank you for all this help and advice. Here is the most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:41:39 AM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[rstones12]

DaOptimist,

OK, lets do the following, you might have some leftovers we need to make sure are gone.

Download ETRemover unzip it and save it to your desktop. Don't run it just yet.

Now scan with HJT and place a checkmark next to the following items:

O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

Close all browsers and open windows except HJT then click the Fix Checked button.

Reboot into SafeMode:

Go to Start | Control Panel | Add Remove Programs
Remove the following programs if found or any variation.
ViewPoint
ViewPoint Manager

Now using Windows Explorer remove the following folders/files if found:
D:\Program Files\Viewpoint\ <-- Folder
C:\WINDOWS\VCMnet11.exe <-- File

Now run ETRemover.exe that you saved to your desktop.

Go to Start | Run
Type %temp% in the box, a new window will open then delete the contents of that folder.

Run the CleanUp program.

Reboot and post back a new HJT log by using Add Reply

Thanks,
rstones12