Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winfixer 2005 and nonstop popup [RESOLVED]


  • This topic is locked This topic is locked

#1
Seriousfon

Seriousfon

    Member

  • Member
  • PipPip
  • 11 posts
Hello everybody. I am trying to fix my friend's computer with spywares problem. I have browsed this forum for a while and notice that you guy could help me.

Any suggestion would be appreciated, thankyou.

Logfile of HijackThis v1.99.1
Scan saved at 7:30:54, on 9/9/2548
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\ssysru2d.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\medgs1.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\ssysru2d.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\German-Thai\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F3 - REG:win.ini: load= mbtn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {544D3227-6801-04BD-D909-6292B86D33C3} - (no file)
O2 - BHO: (no name) - {8BF78BA5-0335-1C52-EC09-AEBCEBC0D548} - (no file)
O2 - BHO: (no name) - {962342AD-7D9C-4ED9-06F6-290AD24C961B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysru2d.exe DO0605
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dxpdll.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [onuhxr] C:\WINDOWS\System32\gamucc.exe r
O4 - HKLM\..\Run: [ufwgdir] C:\WINDOWS\System32\pctogec.exe r
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\qpdxregs.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winox.exe] C:\WINDOWS\system32\winox.exe
O4 - HKLM\..\Run: [netut.exe] C:\WINDOWS\system32\netut.exe
O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\Run: [sdkqa.exe] C:\WINDOWS\system32\sdkqa.exe
O4 - HKLM\..\Run: [wnobmvf] C:\WINDOWS\System32\mjqzmo.exe r
O4 - HKLM\..\Run: [utsumja] C:\WINDOWS\System32\nmqtbwo.exe r
O4 - HKLM\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wmoi] C:\PROGRA~1\COMMON~1\wmoi\wmoim.exe
O4 - HKCU\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Zstart.lnk.disabled
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ssysru2d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: ActiveShopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: ActiveShopper Toolbar - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...b91d7/enter.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_ysp1001.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096231347096
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Seriousfon and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.
  • Click on My Controls at the top right hand corner of the window.
  • In the left hand column, click "View Topics"
  • If you click on the title of your post, you will be taken there
2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Run HijackThis
  • Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Trevuren, thank you for your fast response.
Here is my new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:08:24, on 9/9/2548
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\ssysru2d.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\medgs1.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F3 - REG:win.ini: load= mbtn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {544D3227-6801-04BD-D909-6292B86D33C3} - (no file)
O2 - BHO: (no name) - {8BF78BA5-0335-1C52-EC09-AEBCEBC0D548} - (no file)
O2 - BHO: (no name) - {962342AD-7D9C-4ED9-06F6-290AD24C961B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysru2d.exe DO0605
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dxpdll.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [onuhxr] C:\WINDOWS\System32\gamucc.exe r
O4 - HKLM\..\Run: [ufwgdir] C:\WINDOWS\System32\pctogec.exe r
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\qpdxregs.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winox.exe] C:\WINDOWS\system32\winox.exe
O4 - HKLM\..\Run: [netut.exe] C:\WINDOWS\system32\netut.exe
O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\Run: [sdkqa.exe] C:\WINDOWS\system32\sdkqa.exe
O4 - HKLM\..\Run: [wnobmvf] C:\WINDOWS\System32\mjqzmo.exe r
O4 - HKLM\..\Run: [utsumja] C:\WINDOWS\System32\nmqtbwo.exe r
O4 - HKLM\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wmoi] C:\PROGRA~1\COMMON~1\wmoi\wmoim.exe
O4 - HKCU\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Zstart.lnk.disabled
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ssysru2d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: ActiveShopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: ActiveShopper Toolbar - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...b91d7/enter.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_ysp1001.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096231347096
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME
  • Click HERE for the update.
  • Apply the update.
  • REBOOT YOUR SYSTEM
  • Post a fresh Hijack This log
Regards,

Trevuren
.
  • 0

#5
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, I update SP1 as you suggest.
Here is my new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:02:42, on 9/9/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\ssysru2d.exe
C:\WINDOWS\System32\medgs1.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ssysru2d.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F3 - REG:win.ini: load= mbtn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {544D3227-6801-04BD-D909-6292B86D33C3} - (no file)
O2 - BHO: (no name) - {8BF78BA5-0335-1C52-EC09-AEBCEBC0D548} - (no file)
O2 - BHO: (no name) - {962342AD-7D9C-4ED9-06F6-290AD24C961B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysru2d.exe DO0605
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dxpdll.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [onuhxr] C:\WINDOWS\System32\gamucc.exe r
O4 - HKLM\..\Run: [ufwgdir] C:\WINDOWS\System32\pctogec.exe r
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\qpdxregs.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winox.exe] C:\WINDOWS\system32\winox.exe
O4 - HKLM\..\Run: [netut.exe] C:\WINDOWS\system32\netut.exe
O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\Run: [sdkqa.exe] C:\WINDOWS\system32\sdkqa.exe
O4 - HKLM\..\Run: [wnobmvf] C:\WINDOWS\System32\mjqzmo.exe r
O4 - HKLM\..\Run: [utsumja] C:\WINDOWS\System32\nmqtbwo.exe r
O4 - HKLM\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wmoi] C:\PROGRA~1\COMMON~1\wmoi\wmoim.exe
O4 - HKCU\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Zstart.lnk.disabled
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ssysru2d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: ActiveShopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: ActiveShopper Toolbar - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...b91d7/enter.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_gsm1009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096231347096
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)

Sorry for late reply.
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. I want you to UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

SurfSidekick2
Surfsidekick3

2. Now, using Windows Explorer, I need you to DELETE the following folder(s) and all their content:

C:\Program Files\SurfSidekick2
C:\Program Files\SurfSidekick3

3. REBOOT your system

4. Malicious .DLL file(s) has/have disrupted the LSP chain on your computer. This can be seen by the (010) entry(ies) in your HJT log. We must fix this problem as a priority.

1. Backup the registry by going to Start>Run> and type ‘regedit’ without the quotes. Then on the file menu choose ‘export’ in XP.

2. Download the LSPfix.txt and read the readme file.

3. Download LSPfix.zip or LSPfix.exe

4. Close all windows except LSPfix

5. Launch LSPfix.zip and install to its own folder, then click on LSPfix.exe. Or click on LSPfix.exe and it will launch the program.

6. Put a check mark in the box “I know what I am doing

7. Click ‘Finish

7. REBOOT to complete the task.

8. Now RUN HJT, click Scan and POST a new log file in this thread using “Add Reply”.

Regards,

Trevuren

  • 0

#7
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Trevuren, I can only find Surfsidekick3 in Control Panel/Program files

Regardless, here is my new log file.

Logfile of HijackThis v1.99.1
Scan saved at 12:34:43, on 9/9/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\ssysru2d.exe
C:\WINDOWS\System32\medgs1.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load= mbtn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {544D3227-6801-04BD-D909-6292B86D33C3} - (no file)
O2 - BHO: (no name) - {8BF78BA5-0335-1C52-EC09-AEBCEBC0D548} - (no file)
O2 - BHO: (no name) - {962342AD-7D9C-4ED9-06F6-290AD24C961B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysru2d.exe DO0605
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dxpdll.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [onuhxr] C:\WINDOWS\System32\gamucc.exe r
O4 - HKLM\..\Run: [ufwgdir] C:\WINDOWS\System32\pctogec.exe r
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\qpdxregs.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winox.exe] C:\WINDOWS\system32\winox.exe
O4 - HKLM\..\Run: [netut.exe] C:\WINDOWS\system32\netut.exe
O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\Run: [sdkqa.exe] C:\WINDOWS\system32\sdkqa.exe
O4 - HKLM\..\Run: [wnobmvf] C:\WINDOWS\System32\mjqzmo.exe r
O4 - HKLM\..\Run: [utsumja] C:\WINDOWS\System32\nmqtbwo.exe r
O4 - HKLM\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [wmoi] C:\PROGRA~1\COMMON~1\wmoi\wmoim.exe
O4 - HKCU\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Zstart.lnk.disabled
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ssysru2d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: ActiveShopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: ActiveShopper Toolbar - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...b91d7/enter.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_gsm1009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096231347096
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You have a Haxdoor Backdoor Trojan which requires some tools to get rid of.
  • First, download HSFix from here
  • After it is downloaded, create a new folder on your desktop called "HDFix" and extract all the files into the newly created folder.
  • Next, download CleanUp! Install it, but do not run it yet.
  • Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  • Locate the HDFix folder on your desktop, open it, and double-click "hdfix.bat"
  • A log will be produced which you can close out of.
  • Then run HijackThis again, close any open windows and browsers and fix these:
    HJT items here
  • Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
  • Restart your computer into normal mode and run at least one of the following free, online virus scans:
    http://housecall.tre.../start_corp.asp
    http://www.pandasoft...n_principal.htm
    http://www3.ca.com/t...sinfo/scan.aspx
  • Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt
Regards,

Trevuren

  • 0

#9
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry but I am not quite understand what you meant by "HJT items here
". What I am suppose to do after run Hijackthis?

Thank.
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I am the one who is sorry, I forgot to include the HJT entry to fix. It is the following:

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

Do not use the link provided for the PandaScan is no loger functions. Please use the folllowing one:

http://www.pandasoft...n_principal.htm


Trevuren
  • 0

Advertisements


#11
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Strange, I can not find this line in HJT anymore.
Anyway, I will procede with Run Cleanup.
  • 0

#12
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi, it apear that "O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe"
line come back everytime I restart the computer. :tazz:

I use activescan from pandasoft, so here is my new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 16:19:06, on 9/9/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\ssysru2d.exe
C:\WINDOWS\System32\medgs1.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\MATLABR11\webserver\bin\matlabserver.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S1T0A2.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load= mbtn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {544D3227-6801-04BD-D909-6292B86D33C3} - (no file)
O2 - BHO: (no name) - {8BF78BA5-0335-1C52-EC09-AEBCEBC0D548} - (no file)
O2 - BHO: (no name) - {962342AD-7D9C-4ED9-06F6-290AD24C961B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysru2d.exe DO0605
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dxpdll.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [onuhxr] C:\WINDOWS\System32\gamucc.exe r
O4 - HKLM\..\Run: [ufwgdir] C:\WINDOWS\System32\pctogec.exe r
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\qpdxregs.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winox.exe] C:\WINDOWS\system32\winox.exe
O4 - HKLM\..\Run: [netut.exe] C:\WINDOWS\system32\netut.exe
O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\Run: [sdkqa.exe] C:\WINDOWS\system32\sdkqa.exe
O4 - HKLM\..\Run: [wnobmvf] C:\WINDOWS\System32\mjqzmo.exe r
O4 - HKLM\..\Run: [utsumja] C:\WINDOWS\System32\nmqtbwo.exe r
O4 - HKLM\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [wmoi] C:\PROGRA~1\COMMON~1\wmoi\wmoim.exe
O4 - HKCU\..\Run: [Microsoft Update Mechene] Updatez.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Zstart.lnk.disabled
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ssysru2d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: ActiveShopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: ActiveShopper Toolbar - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...IVOTAL_2_DB.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...b91d7/enter.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_gsm1009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096231347096
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)

And this is HSFix log.


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate

I will go to bed now, thankyou so much for today help Trevuren.
  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Make double sure to disable Spybot's Tea Timer for now, as it can interfere with the fixing of problems.

Open Spybot and and make sure you are in Advanced mode (check it in the 'Mode' menu). Go to the Tools section and click resident and then uncheck the box for Tea Timer.

Then, REBOOT
========================================================

Your system is infected with a variant of the About:Blank infection.
  • First we must STOP, and Disable a bad Added Service
    • Click Start>Run and type in: services.msc
    • Click OK
    • In the Services window find: Insert Display Name
    • Select/highlight and right click the entry, and choose: Properties
    • On the General tab, under Service Status click the Stop button
    • Beside: Startup Type, in the drop menu, select: Disabled
    • Click Apply, then OK
  • Download CWShredder
    Click check for updates. Do not use it yet.

  • Download Aboutbuster 5
    Unzip the file to its own folder (C:\AB) Do not use it yet.

  • Download: HomeSearchfix. Unzip it to your desktop. Do not use it yet.

  • Download Killbox
    Choose save as to your desktop. Unzip the file. Do not use it yet.

    Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark “show hidden files en extensions >OK

    Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!!

  • Reboot your system intosafe mode for all OS

  • Close all windows and open HijackThis.
    • Click "scan only” in the main window
    • Put a checkmark beside the following entries and click “FIX checked”.

      R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\obttv.dll/sp.html#44768
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nozbp.dll/sp.html#37049
      R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
      R3 - Default URLSearchHook is missing
      O2 - BHO: (no name) - {544D3227-6801-04BD-D909-6292B86D33C3} - (no file)
      O2 - BHO: (no name) - {8BF78BA5-0335-1C52-EC09-AEBCEBC0D548} - (no file)
      O2 - BHO: (no name) - {962342AD-7D9C-4ED9-06F6-290AD24C961B} - (no file)
      O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
      O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
      O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysru2d.exe DO0605
      O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
      O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
      O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
      O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
      O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
      O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
      O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dxpdll.exe reg_run
      O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
      O4 - HKLM\..\Run: [onuhxr] C:\WINDOWS\System32\gamucc.exe r
      O4 - HKLM\..\Run: [ufwgdir] C:\WINDOWS\System32\pctogec.exe r
      O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
      O4 - HKLM\..\Run: [ZStart] C:\windows\system32\qpdxregs.exe DO0605
      O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
      O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
      O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
      O4 - HKLM\..\Run: [winox.exe] C:\WINDOWS\system32\winox.exe
      O4 - HKLM\..\Run: [netut.exe] C:\WINDOWS\system32\netut.exe
      O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
      O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
      O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
      O4 - HKLM\..\Run: [atlnb.exe] C:\WINDOWS\atlnb.exe
      O4 - HKLM\..\Run: [sdkqa.exe] C:\WINDOWS\system32\sdkqa.exe
      O4 - HKLM\..\Run: [wnobmvf] C:\WINDOWS\System32\mjqzmo.exe r
      O4 - HKLM\..\Run: [utsumja] C:\WINDOWS\System32\nmqtbwo.exe r
      O4 - HKLM\..\Run: [Microsoft Update Mechene] Updatez.exe
      O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
      O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
      O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
      O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
      O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
      O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
      O4 - HKCU\..\Run: [wmoi] C:\PROGRA~1\COMMON~1\wmoi\wmoim.exe
      O4 - HKCU\..\Run: [Microsoft Update Mechene] Updatez.exe
      O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
      O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
      O9 - Extra button: ActiveShopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
      O9 - Extra 'Tools' menuitem: ActiveShopper Toolbar - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
      O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...IVOTAL_2_DB.cab
      O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
      O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...b91d7/enter.cab
      O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_gsm1009.cab
      O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
      O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
  • Run CWShredder and choose FIX

  • Start AboutBuster and press START, and then OK. The program will start scanning.

  • Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES.

  • Start Killbox
    • Place a checkmark next to [x] Delete On Reboot.
    • Highlight the following list and Copy it (Ctrl+C) to the windows clipboard.

      C:\WINDOWS\System32\ssysru2d.exe
      C:\WINDOWS\System32\medgs1.exe
      C:\Program Files\BullsEye Network
      C:\WINDOWS\system32\obttv.dll
      C:\WINDOWS\system32\nozbp.dll
      C:\WINDOWS\System32\nvms.dll
      C:\WINDOWS\System32\mscb.dll
      C:\WINDOWS\etb
      C:\WINDOWS\System32\opr.exe
      C:\DOCUME~1\GERMAN~1\LOCALS~1\Temp\InSearch.exe
      C:\WINDOWS\System32\nsvsvc
      rundll32 C:\PROGRA~1\NEWDOT~1
      C:\WINDOWS\System32\dxpdll.exe
      C:\Program Files\Media Access
      C:\WINDOWS\System32\gamucc.exe r
      C:\WINDOWS\System32\pctogec.exe r
      C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe
      C:\windows\system32\qpdxregs.exe
      C:\Program Files\SurfSideKick 2
      C:\Program Files\Web_Rebates
      C:\WINDOWS\system32\winox.exe
      C:\WINDOWS\system32\netut.exe
      C:\WINDOWS\sdkam32.exe
      C:\WINDOWS\System32\PSof1.exe
      C:\WINDOWS\System32\exp.exe
      C:\WINDOWS\atlnb.exe
      C:\WINDOWS\system32\sdkqa.exe
      C:\WINDOWS\System32\mjqzmo.exe r
      C:\WINDOWS\System32\nmqtbwo.exe r
      Updatez.exe
      smsc.exe
      C:\Program Files\SurfSideKick 3
      C:\WINDOWS\System32\tibs3.exe
      C:\WINDOWS\System32\pshwr.exe
      C:\Program Files\Cas
      C:\PROGRA~1\COMMON~1\wmoi




      Exit Explorer, and reboot as normal afterwards.

    • Back in Killbox, go > file > paste from clipboard,
    • Click the red highlighted X button and click yes to the prompt when all the files have been pasted.
    • Then click OK
    • Exit Killbox and Reboot your PC.
  • After the reboot, Start AboutBuster AGAIN and scan AGAIN.

  • Clean temporary files:
    • Go > start > run and type cleanmgr and OK
    • Scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
    • Click OK to remove those files.
    • Click Yes to confirm deletion.
  • Reboot your system into normal mode.

  • Download Ewido scan
    • Check for updates.
    • Let it do a full run.
    • Copy the log. Past it to a blank Notepad file and save it to post here.
  • Finally, run HijackThis, click SCAN, produce a LOG and POST it and the EWIDOscan log in this thread for review.
Regards,

Trevuren

  • 0

#14
Seriousfon

Seriousfon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Trevuren

In the first direction, did you forgot to add the name of service you want me too disable?

Cos I can not find the service name "Insert Display Name"

Thank
Seriousfon
  • 0

#15
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Sorry for the confusion, there is no display name. I just forgot to remove the paragraph.. Please do the rest.


Regards,


Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP