Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Mytob residual effects [CLOSED]

Started by ChickenArise , Jun 15 2005 02:38 PM

  • This topic is locked This topic is locked

#1
ChickenArise
Posted 15 June 2005 - 02:38 PM

ChickenArise

    New Member

  • Member
  • Pip
  • 5 posts
My parents' computer was recently infected with Mytob. I've managed to get rid of the virus, and I've fixed most of the spyware. however, some of it is rather persistent, and they are having trouble accessing the internet intermittently. I notice a few things that definitely need attention from this log, but I'm waiting to do any more so that I can just finish this.

Thanks!
---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:04:08 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\Webb\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [fdvcyal] c:\windows\system32\qhqwxb.exe r
O4 - HKLM\..\Run: [brhgsdgn] C:\WINDOWS\system32\brhgsdgn.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....ro64_loader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103758386061
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O20 - AppInit_DLLs: 4c2jjlcfs2znwp5.dll.dll.dll.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by ChickenArise, 15 June 2005 - 02:39 PM.

  • 0

Advertisements

#2
tampabelle
Posted 15 June 2005 - 03:01 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Chickenarise,

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

During the fix, u will be asked to fix some entires, delete some files or uninstall sosme programs. If in case, you do not see those entires / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\system32\perfcii.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Delfin or Adware.DelFin

Exit Add/Remove Programs.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\LogFiles
C:\Program Files\Security IGuard
C:\Program Files\DelFin
C:\Program Files\Common Files\dpi
C:\WINDOWS\System32\nsvsvc
C:\WINDOWS\System32\vidctrl
C:\WINDOWS\System32\picsvr
C:\WINDOWS\System32\wsxsvc
C:\WINDOWS\System32\vmss
C:\WINDOWS\System32\pgtools
C:\keys.ini

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:


O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [fdvcyal] c:\windows\system32\qhqwxb.exe r
O4 - HKLM\..\Run: [brhgsdgn] C:\WINDOWS\system32\brhgsdgn.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0

#3
ChickenArise
Posted 16 June 2005 - 07:50 AM

ChickenArise

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
the 'paste to clipboard' option for killbox didn't work, but cut and pasting each individual file and seeing if it existed by clicking on 'properties' only returned results for one of the files, which we proceeded to remove as per instructions.

hijack this and activescan logs:
----------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:17:02 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Webb\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....ro64_loader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103758386061
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O20 - AppInit_DLLs: 4c2jjlcfs2znwp5.dll.dll.dll.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

---------------------------

Incident Status Location

Virus:W32/Mytob.EP.worm Disinfected C:\Documents and Settings\Webb\Application Data\Thunderbird\Profiles\i3tchhf1.default\Mail\Local Folders\Inbox[info-text.zip][info-text.txt .pif]
Virus:W32/Mytob.EP.worm Disinfected C:\Documents and Settings\Webb\Application Data\Thunderbird\Profiles\i3tchhf1.default\Mail\Local Folders\Sent[info-text.zip][info-text.txt .pif]
Virus:W32/Mytob.EP.worm Disinfected C:\Documents and Settings\Webb\Application Data\Thunderbird\Profiles\i3tchhf1.default\Mail\Local Folders\Trash[info-text.zip][info-text.txt .pif]
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Webb\Favorites\go to sex.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Webb\Favorites\Technology\Tech & gadgets.lnk
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\itshta.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\09026ywx1fkcmd.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\0lw7xuvovf88.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\0wf9l3624zj8.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\0xlluirh2g8.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\1770jztjylsds.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\1s6y86b9p2.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\1vthzwebs9jnl.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\1wk6dutu9o36dy.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\1zoiwre898ytjb.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\25tc2cy52ln6.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\2z3tvrytu0ph.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\3e1vgdjmky4.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\3kk7t4n73j2003.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\3rmozh8fj9.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\3rycz7gexobe.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\3uflpwwnx68lnh.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\432z4wwpyh.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\4db5su5y2ps1xw.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\4ep67ldkc3.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\4neo32nm2xmks.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\4ov2b0t6owxc7.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\4unw3xh4fkp2w.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\5ku9sgr7mt.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\6im3vh8weuw6y9.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\6jhsro1boh.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\7nug1ko4p1yx.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\8th2xfwdvh92x.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\9ji9wpbp3xfc.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\c5e7tbjgx7sk.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\cb3iswjtdkr9.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\cs621pow2m.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\cuezimyvp41l.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\cykx0th2ws38vu.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\cywd0io0jy.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\dgi129wfuer8gs.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\dhjec1li7e.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\dpf7480m77h44.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\dwhobulvnyr68x.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\enrcobiw4s7po.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\ep553zr5fe651.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\gibexhb7xcz.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\gu0yzmoswj8im.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\hml8em67hn.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\hofg3bl5yn.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\jb8jsf5ccwux4.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\jhnz09wtr13r8d.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\jsg417y54f.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\k4dll1vwh5.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\k4lwy3odzj.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\kodvd1byml1.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\md7fmvuxzt2w.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\n7ww60rgr9i.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc\nsv.ocx
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc\nsvsvc.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\nxiz4kjueh.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\owv6hc0bts8.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\ozs9chrrelu35.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\p3w2g4pdvrn7r.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\p9d2tn30tp5g7i.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\pizpoy36gg.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\ptpb9yswcg.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\pu1xtec3kzvc.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\r3d07vg3txd8n1.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\rhxt0s52tuerck.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\tok5i07e.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\uctjdvl91u2rm4.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\uesep349ci.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\ufx4vr7g16xe2h.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\uokjrt7mox.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\upc8x5rkgd.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\uzv210oio3w1j8.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\vbyvxon550p5dp.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\vevhe2810f.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\vhcr4sgcz5yj.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\vjwcd65hz3llki.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\vm0xc4rzuw7w9r.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\vmtngbxwk56.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\w8ts1ynt8xz.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\wh12nzi9r9.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\xbwh36bk6powf8.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\xhj0np00phx.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\z3jdi5roeh.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\zhgvtzngr7w.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\zmfm641097so.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\zsse4753r5rl06.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\winini.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS10044.CAB[A0296795.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS10045.CAB[A0296798.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS10048.CAB[A0297779.CPY]
  • 0

#4
tampabelle
Posted 16 June 2005 - 09:15 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi ChickenArise,

The scan results show that we still have some work to do. Please read the instructions carefully and copy them into a text file on your desktop for easy access.

During the fix, u will be asked to fix some entires, delete some files or uninstall sosme programs. If in case, you do not see those entires / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

Please reboot the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up). In the menu which comes up Choose the Safe Mode option.

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items, if found -

Delfin or Adware.DelFin
Media Motor

Close all windows.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES. Make sure that the hidden files are visible.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files and folders, if found -

Folders
C:\Documents and Settings\Webb\Favorites\Fun & Games
C:\Documents and Settings\Webb\Favorites\Going Places
C:\Documents and Settings\Webb\Favorites\Living
C:\Documents and Settings\Webb\Favorites\Shop
C:\Documents and Settings\Webb\Favorites\Technology

Files
C:\Documents and Settings\Webb\Favorites\go to sex.url
C:\new.exe
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
C:\WINDOWS\Downloaded Program Files\m67m.inf
C:\WINDOWS\Downloaded Program Files\m67m.ocx
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\SYSTEM32\09026ywx1fkcmd.dll
C:\WINDOWS\SYSTEM32\0lw7xuvovf88.dll
C:\WINDOWS\SYSTEM32\0wf9l3624zj8.dll
C:\WINDOWS\SYSTEM32\0xlluirh2g8.dll
C:\WINDOWS\SYSTEM32\1770jztjylsds.dll
C:\WINDOWS\SYSTEM32\1s6y86b9p2.dll
C:\WINDOWS\SYSTEM32\1vthzwebs9jnl.dll
C:\WINDOWS\SYSTEM32\1wk6dutu9o36dy.dll
C:\WINDOWS\SYSTEM32\1zoiwre898ytjb.dll
C:\WINDOWS\SYSTEM32\25tc2cy52ln6.dll
C:\WINDOWS\SYSTEM32\2z3tvrytu0ph.dll
C:\WINDOWS\SYSTEM32\3e1vgdjmky4.dll
C:\WINDOWS\SYSTEM32\3kk7t4n73j2003.dll
C:\WINDOWS\SYSTEM32\3rmozh8fj9.dll
C:\WINDOWS\SYSTEM32\3rycz7gexobe.dll
C:\WINDOWS\SYSTEM32\3uflpwwnx68lnh.dll
C:\WINDOWS\SYSTEM32\432z4wwpyh.dll
C:\WINDOWS\SYSTEM32\4db5su5y2ps1xw.dll
C:\WINDOWS\SYSTEM32\4ep67ldkc3.dll
C:\WINDOWS\SYSTEM32\4neo32nm2xmks.dll
C:\WINDOWS\SYSTEM32\4ov2b0t6owxc7.dll
C:\WINDOWS\SYSTEM32\4unw3xh4fkp2w.dll
C:\WINDOWS\SYSTEM32\5ku9sgr7mt.dll
C:\WINDOWS\SYSTEM32\6im3vh8weuw6y9.dll
C:\WINDOWS\SYSTEM32\6jhsro1boh.dll
C:\WINDOWS\SYSTEM32\7nug1ko4p1yx.dll
C:\WINDOWS\SYSTEM32\8th2xfwdvh92x.dll
C:\WINDOWS\SYSTEM32\9ji9wpbp3xfc.dll
C:\WINDOWS\SYSTEM32\c5e7tbjgx7sk.dll
C:\WINDOWS\SYSTEM32\cb3iswjtdkr9.dll
C:\WINDOWS\SYSTEM32\cs621pow2m.dll
C:\WINDOWS\SYSTEM32\cuezimyvp41l.dll
C:\WINDOWS\SYSTEM32\cykx0th2ws38vu.dll
C:\WINDOWS\SYSTEM32\cywd0io0jy.dll
C:\WINDOWS\SYSTEM32\dgi129wfuer8gs.dll
C:\WINDOWS\SYSTEM32\dhjec1li7e.dll
C:\WINDOWS\SYSTEM32\dpf7480m77h44.dll
C:\WINDOWS\SYSTEM32\dwhobulvnyr68x.dll
C:\WINDOWS\SYSTEM32\enrcobiw4s7po.dll
C:\WINDOWS\SYSTEM32\ep553zr5fe651.dll
C:\WINDOWS\SYSTEM32\gibexhb7xcz.dll
C:\WINDOWS\SYSTEM32\gu0yzmoswj8im.dll
C:\WINDOWS\SYSTEM32\hml8em67hn.dll
C:\WINDOWS\SYSTEM32\hofg3bl5yn.dll
C:\WINDOWS\SYSTEM32\jb8jsf5ccwux4.dll
C:\WINDOWS\SYSTEM32\jhnz09wtr13r8d.dll
C:\WINDOWS\SYSTEM32\jsg417y54f.dll
C:\WINDOWS\SYSTEM32\k4dll1vwh5.dll
C:\WINDOWS\SYSTEM32\k4lwy3odzj.dll
C:\WINDOWS\SYSTEM32\kodvd1byml1.dll
C:\WINDOWS\SYSTEM32\md7fmvuxzt2w.dll
C:\WINDOWS\SYSTEM32\n7ww60rgr9i.dll
C:\WINDOWS\SYSTEM32\nsvsvc\nsv.ocx
C:\WINDOWS\SYSTEM32\nsvsvc\nsvs.dll
C:\WINDOWS\SYSTEM32\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM32\nxiz4kjueh.dll
C:\WINDOWS\SYSTEM32\owv6hc0bts8.dll
C:\WINDOWS\SYSTEM32\ozs9chrrelu35.dll
C:\WINDOWS\SYSTEM32\p3w2g4pdvrn7r.dll
C:\WINDOWS\SYSTEM32\p9d2tn30tp5g7i.dll
C:\WINDOWS\SYSTEM32\pizpoy36gg.dll
C:\WINDOWS\SYSTEM32\ptpb9yswcg.dll
C:\WINDOWS\SYSTEM32\pu1xtec3kzvc.dll
C:\WINDOWS\SYSTEM32\r3d07vg3txd8n1.dll
C:\WINDOWS\SYSTEM32\rhxt0s52tuerck.dll
C:\WINDOWS\SYSTEM32\tok5i07e.exe
C:\WINDOWS\SYSTEM32\uctjdvl91u2rm4.dll
C:\WINDOWS\SYSTEM32\uesep349ci.dll
C:\WINDOWS\SYSTEM32\ufx4vr7g16xe2h.dll
C:\WINDOWS\SYSTEM32\uokjrt7mox.dll
C:\WINDOWS\SYSTEM32\upc8x5rkgd.dll
C:\WINDOWS\SYSTEM32\uzv210oio3w1j8.dll
C:\WINDOWS\SYSTEM32\vbyvxon550p5dp.dll
C:\WINDOWS\SYSTEM32\vevhe2810f.dll
C:\WINDOWS\SYSTEM32\vhcr4sgcz5yj.dll
C:\WINDOWS\SYSTEM32\vjwcd65hz3llki.dll
C:\WINDOWS\SYSTEM32\vm0xc4rzuw7w9r.dll
C:\WINDOWS\SYSTEM32\vmtngbxwk56.dll
C:\WINDOWS\SYSTEM32\w8ts1ynt8xz.dll
C:\WINDOWS\SYSTEM32\wh12nzi9r9.dll
C:\WINDOWS\SYSTEM32\xbwh36bk6powf8.dll
C:\WINDOWS\SYSTEM32\xhj0np00phx.dll
C:\WINDOWS\SYSTEM32\z3jdi5roeh.dll
C:\WINDOWS\SYSTEM32\zhgvtzngr7w.dll
C:\WINDOWS\SYSTEM32\zmfm641097so.dll
C:\WINDOWS\SYSTEM32\zsse4753r5rl06.dll
C:\WINDOWS\unstall.exe
C:\WINDOWS\winini.exe
C:\WINDOWS\itshta.exe
C:\WINDOWS\seeve.exe

Please reboot the PC and post a fresh Hijack This log.
  • 0

#5
ChickenArise
Posted 17 June 2005 - 07:08 AM

ChickenArise

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
not found:

windows\unstall.exe
windows\winini.exe
windows\itshta.exe
windows\seeve.exe

media motor or delfin or adware.delfin

downloaded program files\m67m.inf
downloaded program files\m67m.ocx
downloaded program files\popcaploader.inf

hijack this! log:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:46 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Webb\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....ro64_loader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103758386061
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - AppInit_DLLs: 4c2jjlcfs2znwp5.dll.dll.dll.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--------------------------------

Also, someone has recently gotten access to their paypal account. I think this was probably from the Mytob infection? They have resolved the issue so far with paypal, but I thought I'd mention it since it's probably related to these problems.
  • 0

#6
tampabelle
Posted 17 June 2005 - 07:23 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi ChickenArise,

There is some minor clean up.

Run Hijack This and click on Scan. Check the boxes next to following items and click on Fix checked -

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C653EF4A-E099-4DD9-8195-4D475D63A2A8} - (no file) (HKCU)
O20 - AppInit_DLLs: 4c2jjlcfs2znwp5.dll.dll.dll.dll


Regarding your query - Some of the spyware catches the clicks on your PC and then transmits the information. This could have contributed to the compromising of your Paypal account. Thats the reason why spyware is so dangerous !!!!!!!

Please let me know how your net connectivity is now !!!!
  • 0

#7
ChickenArise
Posted 20 June 2005 - 07:13 AM

ChickenArise

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Everything seems back to normal, thanks so much for your help!
  • 0

#8
tampabelle
Posted 20 June 2005 - 08:11 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi ChickenArise,


Can you post a HJT log so that I can verify that your PC is clean ??
  • 0

#9
ChickenArise
Posted 20 June 2005 - 08:14 AM

ChickenArise

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I will do so, but my parents went out of town before giving me a new one. They won't be back for a week, and I am too far away to go do it myself. (I started working on their problem while I was visitting)
  • 0

#10
tampabelle
Posted 20 June 2005 - 08:17 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
no problem, just have ur parents post a HJT log and I will verify the log
  • 0

#11
tampabelle
Posted 30 June 2005 - 12:12 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP