Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

aaawebsearch removal


  • Please log in to reply

#1
rstuebenjr

rstuebenjr

    New Member

  • Member
  • Pip
  • 5 posts
I need help removing aaawebsearch. Running W2K Professional on a Dell Latitude.
My HijackThis log is as follows.
I greatly appreciate any help.

Bob
Your email removed for your security. Bots scour the internet searching for emails to mass mail to. Use the words 'at' instead if your going to post it, but you'll find you will recieve an email when you get a reply from here anyway



Logfile of HijackThis v1.99.0
Scan saved at 11:39:37 AM, on 12/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\WINNT\system32\pctspk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\luPARSppm.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\temp\salm.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\wdgpabqv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\stueben\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Prodigy Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ;;;
R3 - URLSearchHook: (no name) - {CAB7C0BB-2CF2-A86F-E8E4-AAFE6B6E51CC} - C:\WINNT\system32\luPARSppm.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [CB27536E] C:\WINNT\system32\luPARSppm.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmdk32.exe
O4 - HKLM\..\Run: [hsqvtu] C:\WINNT\system32\ikeqsnvj.exe
O4 - HKLM\..\Run: [B12909C3] C:\WINNT\system32\PAslmtTV.exe
O4 - HKLM\..\Run: [56E04AD6] C:\WINNT\system32\agockxm.exe
O4 - HKLM\..\Run: [FF4D8406] C:\WINNT\system32\CSEDPTI.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BFADD5DB] C:\WINNT\system32\UPatkser.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [FEB71ED6] C:\WINNT\system32\resETER.exe
O4 - HKLM\..\Run: [FF1C4873] C:\WINNT\system32\MONmsexATHP.exe
O4 - HKLM\..\Run: [DE09F1E6] C:\WINNT\system32\EmaRXowse.exe
O4 - HKLM\..\Run: [9B9D297E] C:\WINNT\system32\ArR54.exe
O4 - HKLM\..\Run: [F096D406] C:\WINNT\system32\auGNcdf.exe
O4 - HKLM\..\Run: [CB9A92C6] C:\WINNT\system32\apisrv.exe
O4 - HKLM\..\Run: [wdgpabqv] C:\WINNT\wdgpabqv.exe
O4 - HKLM\..\Run: [502021C6] C:\WINNT\system32\UP54apesr.exe
O4 - HKLM\..\Run: [C36884C6] C:\WINNT\system32\eamort.exe
O4 - HKLM\..\Run: [A9ADD4D3] C:\WINNT\system32\sldpHPILT.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [CB27536E] C:\WINNT\system32\luPARSppm.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [B12909C3] C:\WINNT\system32\PAslmtTV.exe
O4 - HKCU\..\Run: [56E04AD6] C:\WINNT\system32\agockxm.exe
O4 - HKCU\..\Run: [FF4D8406] C:\WINNT\system32\CSEDPTI.exe
O4 - HKCU\..\Run: [BFADD5DB] C:\WINNT\system32\UPatkser.exe
O4 - HKCU\..\Run: [FEB71ED6] C:\WINNT\system32\resETER.exe
O4 - HKCU\..\Run: [FF1C4873] C:\WINNT\system32\MONmsexATHP.exe
O4 - HKCU\..\Run: [DE09F1E6] C:\WINNT\system32\EmaRXowse.exe
O4 - HKCU\..\Run: [9B9D297E] C:\WINNT\system32\ArR54.exe
O4 - HKCU\..\Run: [F096D406] C:\WINNT\system32\auGNcdf.exe
O4 - HKCU\..\Run: [CB9A92C6] C:\WINNT\system32\apisrv.exe
O4 - HKCU\..\Run: [502021C6] C:\WINNT\system32\UP54apesr.exe
O4 - HKCU\..\Run: [C36884C6] C:\WINNT\system32\eamort.exe
O4 - HKCU\..\Run: [A9ADD4D3] C:\WINNT\system32\sldpHPILT.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pcm: C:\Program Files\Internet Explorer\PLUGINS\NpCurMem.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://xyz.aflashcou...masta.chm::/exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.nor...bin/AvSniff.cab
O16 - DPF: {310BD666-1EA3-4453-AF49-7C65D107030A} (mw4_baseCtl Class) - https://owa.pennmutu...sa/mw4_base.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapweb.ops.pl...quicksilver.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://pennmutual.we...bex/ieatgpc.cab
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - C:\Program Files\NetExchange Pro3.0\FlowHook.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DCS Loader - Oki Data Corporation - C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Yarnouth

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Hi rstuebenjr and welcome to geekstogo. You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.
  • 0

#3
rstuebenjr

rstuebenjr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
After running the online scan, I cannot clean or delete the following because they are in use:

c:\program files\common files\tsa\tsa2.exe
\tsm2.exe
c:\winnt\system32\aaaares.dll
\aihpomamsfl.dll
\dptpdptp.dll
\luparsppm.exe

I did not run the moosoft trojan scan or the ad-aware scan yet.

Thanks
  • 0

#4
rstuebenjr

rstuebenjr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is my log after running the online, trojan and ad-aware scans.
I forgot to mention in my initial posting the following error:
failed to load c:\winnt\system32\bridge.dll


Logfile of HijackThis v1.99.0
Scan saved at 9:24:43 AM, on 12/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\luPARSppm.exe
C:\temp\salm.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\WINNT\zobiv.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\stueben\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Prodigy Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ;;;
R3 - URLSearchHook: (no name) - {CAB7C0BB-2CF2-A86F-E8E4-AAFE6B6E51CC} - C:\WINNT\system32\luPARSppm.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [CB27536E] C:\WINNT\system32\luPARSppm.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmdk32.exe
O4 - HKLM\..\Run: [hsqvtu] C:\WINNT\system32\ikeqsnvj.exe
O4 - HKLM\..\Run: [B12909C3] C:\WINNT\system32\PAslmtTV.exe
O4 - HKLM\..\Run: [56E04AD6] C:\WINNT\system32\agockxm.exe
O4 - HKLM\..\Run: [FF4D8406] C:\WINNT\system32\CSEDPTI.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BFADD5DB] C:\WINNT\system32\UPatkser.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [FEB71ED6] C:\WINNT\system32\resETER.exe
O4 - HKLM\..\Run: [FF1C4873] C:\WINNT\system32\MONmsexATHP.exe
O4 - HKLM\..\Run: [DE09F1E6] C:\WINNT\system32\EmaRXowse.exe
O4 - HKLM\..\Run: [9B9D297E] C:\WINNT\system32\ArR54.exe
O4 - HKLM\..\Run: [F096D406] C:\WINNT\system32\auGNcdf.exe
O4 - HKLM\..\Run: [CB9A92C6] C:\WINNT\system32\apisrv.exe
O4 - HKLM\..\Run: [502021C6] C:\WINNT\system32\UP54apesr.exe
O4 - HKLM\..\Run: [C36884C6] C:\WINNT\system32\eamort.exe
O4 - HKLM\..\Run: [A9ADD4D3] C:\WINNT\system32\sldpHPILT.exe
O4 - HKLM\..\Run: [C9F890C6] C:\WINNT\system32\RSLRSV.exe
O4 - HKLM\..\Run: [E49CD2C6] C:\WINNT\system32\UPCLRS.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [F93B1D5E] C:\WINNT\system32\VIelc.exe
O4 - HKLM\..\Run: [B16DA776] C:\WINNT\system32\ATHOMuid.exe
O4 - HKLM\..\Run: [AD574BD6] C:\WINNT\system32\YPTUIMhe.exe
O4 - HKLM\..\Run: [8A6D9253] C:\WINNT\system32\acmdiSOLE.exe
O4 - HKLM\..\Run: [zobiv] C:\WINNT\zobiv.exe
O4 - HKLM\..\Run: [8CA3060E] C:\WINNT\system32\acHPILT.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [CB27536E] C:\WINNT\system32\luPARSppm.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [B12909C3] C:\WINNT\system32\PAslmtTV.exe
O4 - HKCU\..\Run: [56E04AD6] C:\WINNT\system32\agockxm.exe
O4 - HKCU\..\Run: [FF4D8406] C:\WINNT\system32\CSEDPTI.exe
O4 - HKCU\..\Run: [BFADD5DB] C:\WINNT\system32\UPatkser.exe
O4 - HKCU\..\Run: [FEB71ED6] C:\WINNT\system32\resETER.exe
O4 - HKCU\..\Run: [FF1C4873] C:\WINNT\system32\MONmsexATHP.exe
O4 - HKCU\..\Run: [DE09F1E6] C:\WINNT\system32\EmaRXowse.exe
O4 - HKCU\..\Run: [9B9D297E] C:\WINNT\system32\ArR54.exe
O4 - HKCU\..\Run: [F096D406] C:\WINNT\system32\auGNcdf.exe
O4 - HKCU\..\Run: [CB9A92C6] C:\WINNT\system32\apisrv.exe
O4 - HKCU\..\Run: [502021C6] C:\WINNT\system32\UP54apesr.exe
O4 - HKCU\..\Run: [C36884C6] C:\WINNT\system32\eamort.exe
O4 - HKCU\..\Run: [A9ADD4D3] C:\WINNT\system32\sldpHPILT.exe
O4 - HKCU\..\Run: [C9F890C6] C:\WINNT\system32\RSLRSV.exe
O4 - HKCU\..\Run: [E49CD2C6] C:\WINNT\system32\UPCLRS.exe
O4 - HKCU\..\Run: [F93B1D5E] C:\WINNT\system32\VIelc.exe
O4 - HKCU\..\Run: [B16DA776] C:\WINNT\system32\ATHOMuid.exe
O4 - HKCU\..\Run: [AD574BD6] C:\WINNT\system32\YPTUIMhe.exe
O4 - HKCU\..\Run: [8A6D9253] C:\WINNT\system32\acmdiSOLE.exe
O4 - HKCU\..\Run: [8CA3060E] C:\WINNT\system32\acHPILT.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pcm: C:\Program Files\Internet Explorer\PLUGINS\NpCurMem.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://xyz.aflashcou...masta.chm::/exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.nor...bin/AvSniff.cab
O16 - DPF: {310BD666-1EA3-4453-AF49-7C65D107030A} (mw4_baseCtl Class) - https://owa.pennmutu...sa/mw4_base.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapweb.ops.pl...quicksilver.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://pennmutual.we...bex/ieatgpc.cab
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - C:\Program Files\NetExchange Pro3.0\FlowHook.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DCS Loader - Oki Data Corporation - C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

After running the online scan, I cannot clean or delete the following because they are in use:

c:\program files\common files\tsa\tsa2.exe
                                                \tsm2.exe
c:\winnt\system32\aaaares.dll
                          \aihpomamsfl.dll
                          \dptpdptp.dll
                          \luparsppm.exe

I did not run the moosoft trojan scan or the ad-aware scan yet.

Thanks

View Post


  • 0

#5
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Prodigy Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ;;;
R3 - URLSearchHook: (no name) - {CAB7C0BB-2CF2-A86F-E8E4-AAFE6B6E51CC} - C:\WINNT\system32\luPARSppm.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [CB27536E] C:\WINNT\system32\luPARSppm.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmdk32.exe
O4 - HKLM\..\Run: [hsqvtu] C:\WINNT\system32\ikeqsnvj.exe
O4 - HKLM\..\Run: [B12909C3] C:\WINNT\system32\PAslmtTV.exe
O4 - HKLM\..\Run: [56E04AD6] C:\WINNT\system32\agockxm.exe
O4 - HKLM\..\Run: [FF4D8406] C:\WINNT\system32\CSEDPTI.exe
O4 - HKLM\..\Run: [BFADD5DB] C:\WINNT\system32\UPatkser.exe
O4 - HKLM\..\Run: [FEB71ED6] C:\WINNT\system32\resETER.exe
O4 - HKLM\..\Run: [FF1C4873] C:\WINNT\system32\MONmsexATHP.exe
O4 - HKLM\..\Run: [DE09F1E6] C:\WINNT\system32\EmaRXowse.exe
O4 - HKLM\..\Run: [9B9D297E] C:\WINNT\system32\ArR54.exe
O4 - HKLM\..\Run: [F096D406] C:\WINNT\system32\auGNcdf.exe
O4 - HKLM\..\Run: [CB9A92C6] C:\WINNT\system32\apisrv.exe
O4 - HKLM\..\Run: [502021C6] C:\WINNT\system32\UP54apesr.exe
O4 - HKLM\..\Run: [C36884C6] C:\WINNT\system32\eamort.exe
O4 - HKLM\..\Run: [A9ADD4D3] C:\WINNT\system32\sldpHPILT.exe
O4 - HKLM\..\Run: [C9F890C6] C:\WINNT\system32\RSLRSV.exe
O4 - HKLM\..\Run: [E49CD2C6] C:\WINNT\system32\UPCLRS.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [F93B1D5E] C:\WINNT\system32\VIelc.exe
O4 - HKLM\..\Run: [B16DA776] C:\WINNT\system32\ATHOMuid.exe
O4 - HKLM\..\Run: [AD574BD6] C:\WINNT\system32\YPTUIMhe.exe
O4 - HKLM\..\Run: [8A6D9253] C:\WINNT\system32\acmdiSOLE.exe
O4 - HKLM\..\Run: [zobiv] C:\WINNT\zobiv.exe
O4 - HKLM\..\Run: [8CA3060E] C:\WINNT\system32\acHPILT.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [CB27536E] C:\WINNT\system32\luPARSppm.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [B12909C3] C:\WINNT\system32\PAslmtTV.exe
O4 - HKCU\..\Run: [56E04AD6] C:\WINNT\system32\agockxm.exe
O4 - HKCU\..\Run: [FF4D8406] C:\WINNT\system32\CSEDPTI.exe
O4 - HKCU\..\Run: [BFADD5DB] C:\WINNT\system32\UPatkser.exe
O4 - HKCU\..\Run: [FEB71ED6] C:\WINNT\system32\resETER.exe
O4 - HKCU\..\Run: [FF1C4873] C:\WINNT\system32\MONmsexATHP.exe
O4 - HKCU\..\Run: [DE09F1E6] C:\WINNT\system32\EmaRXowse.exe
O4 - HKCU\..\Run: [9B9D297E] C:\WINNT\system32\ArR54.exe
O4 - HKCU\..\Run: [F096D406] C:\WINNT\system32\auGNcdf.exe
O4 - HKCU\..\Run: [CB9A92C6] C:\WINNT\system32\apisrv.exe
O4 - HKCU\..\Run: [502021C6] C:\WINNT\system32\UP54apesr.exe
O4 - HKCU\..\Run: [C36884C6] C:\WINNT\system32\eamort.exe
O4 - HKCU\..\Run: [A9ADD4D3] C:\WINNT\system32\sldpHPILT.exe
O4 - HKCU\..\Run: [C9F890C6] C:\WINNT\system32\RSLRSV.exe
O4 - HKCU\..\Run: [E49CD2C6] C:\WINNT\system32\UPCLRS.exe
O4 - HKCU\..\Run: [F93B1D5E] C:\WINNT\system32\VIelc.exe
O4 - HKCU\..\Run: [B16DA776] C:\WINNT\system32\ATHOMuid.exe
O4 - HKCU\..\Run: [AD574BD6] C:\WINNT\system32\YPTUIMhe.exe
O4 - HKCU\..\Run: [8A6D9253] C:\WINNT\system32\acmdiSOLE.exe
O4 - HKCU\..\Run: [8CA3060E] C:\WINNT\system32\acHPILT.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://xyz.aflashcou...masta.chm::/exe
O16 - DPF: {310BD666-1EA3-4453-AF49-7C65D107030A} (mw4_baseCtl Class) - https://owa.pennmutu...sa/mw4_base.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://pennmutual.we...bex/ieatgpc.cab
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - C:\Program Files\NetExchange Pro3.0\FlowHook.dll
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\system32\angelex.exe
C:\WINNT\system32\luPARSppm.exe
C:\WINNT\EliteToolBar <- this folder
C:\Program Files\Viewpoint <- this folder
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\bridge.dll
C:\WINNT\system32\luPARSppm.exe
c:\temp\salm.exe
C:\winnt\system32\kalvmdk32.exe
C:\WINNT\system32\ikeqsnvj.exe
C:\WINNT\system32\PAslmtTV.exe
C:\WINNT\system32\agockxm.exe
C:\WINNT\system32\CSEDPTI.exe
C:\WINNT\system32\UPatkser.exe
C:\WINNT\system32\resETER.exe
C:\WINNT\system32\MONmsexATHP.exe
C:\WINNT\system32\EmaRXowse.exe
C:\WINNT\system32\ArR54.exe
C:\WINNT\system32\auGNcdf.exe
C:\WINNT\system32\apisrv.exe
C:\WINNT\system32\UP54apesr.exe
C:\WINNT\system32\eamort.exe
C:\WINNT\system32\sldpHPILT.exe
C:\WINNT\system32\RSLRSV.exe
C:\WINNT\system32\UPCLRS.exe
C:\Program Files\Windows ServeAd <- this folder
C:\WINNT\system32\VIelc.exe
C:\WINNT\system32\ATHOMuid.exe
C:\WINNT\system32\YPTUIMhe.exe
C:\WINNT\system32\acmdiSOLE.exe
C:\WINNT\zobiv.exe
C:\WINNT\system32\acHPILT.exe
C:\WINNT\system32\wuclient.exe
C:\WINNT\system32\luPARSppm.exe
C:\PROGRAM FILES\COMMON FILES\tsa <- this folder
C:\WINNT\system32\PAslmtTV.exe
C:\WINNT\system32\agockxm.exe
C:\WINNT\system32\CSEDPTI.exe
C:\WINNT\system32\UPatkser.exe
C:\WINNT\system32\resETER.exe
C:\WINNT\system32\MONmsexATHP.exe
C:\WINNT\system32\EmaRXowse.exe
C:\WINNT\system32\ArR54.exe
C:\WINNT\system32\auGNcdf.exe
C:\WINNT\system32\apisrv.exe
C:\WINNT\system32\UP54apesr.exe
C:\WINNT\system32\eamort.exe
C:\WINNT\system32\sldpHPILT.exe
C:\WINNT\system32\RSLRSV.exe
C:\WINNT\system32\UPCLRS.exe
C:\WINNT\system32\VIelc.exe
C:\WINNT\system32\ATHOMuid.exe
C:\WINNT\system32\YPTUIMhe.exe
C:\WINNT\system32\acmdiSOLE.exe
C:\WINNT\system32\acHPILT.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#6
Notanexpert

Notanexpert

    Member

  • Member
  • PipPip
  • 11 posts
:thumbsup: :tazz: ;) May I please get some help also..I am experiencing the same dilemna. I can't get rid of this "aaawebsearch" to save my neck! I'am not an expert so please be patient with my inexperience and most definitely have some pity on me...I have spent the last 4 hours trying to fix this problem..but to no avail. I downloaded the hijack and I will post the log..please tell me where do I go from here??!!! Thanks in advance!
Logfile of HijackThis v1.99.0
Scan saved at 1:40:10 AM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\NVPEXAPI.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\sfwfrc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Documents and Settings\Nikki\Application Data\eetu.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\winpack.exe
C:\Documents and Settings\Nikki\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=422
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\webdlg32.dll
R3 - URLSearchHook: (no name) - {8DEDA3EA-D78D-9379-C15E-C823ED61E221} - C:\WINDOWS\system32\NVPEXAPI.exe
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D886B55-E645-59CD-D503-64550586733C} - C:\WINDOWS\System32\pkmpthft.dll (file missing)
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\webdlg32.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: DailyToolbar - {8333C319-0669-4893-A418-F56D9249FCA6} - C:\WINDOWS\Downloaded Program Files\DailyToolbar.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\webdlg32.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [99448AF6] C:\WINDOWS\system32\NVPEXAPI.exe
O4 - HKLM\..\Run: [4678AC5E] C:\WINDOWS\system32\ATTLICO.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [E4980EE6] C:\WINDOWS\system32\DPTI3d1ab.exe
O4 - HKLM\..\Run: [8363D04B] C:\WINDOWS\system32\2dVTw32.exe
O4 - HKLM\..\Run: [1660DC5E] C:\WINDOWS\system32\DITL3rx.exe
O4 - HKLM\..\Run: [462CE0FE] C:\WINDOWS\system32\ILTcd.exe
O4 - HKLM\..\Run: [99B5CC5E] C:\WINDOWS\system32\DDCELdrt.exe
O4 - HKLM\..\Run: [zvhhoa] C:\WINDOWS\System32\sfwfrc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINDOWS\System32\win32spl.exe
O4 - HKCU\..\Run: [commdlg] C:\WINDOWS\System32\commdlg.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Anbynvjo] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Nikki\Application Data\eetu.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [99448AF6] C:\WINDOWS\system32\NVPEXAPI.exe
O4 - HKCU\..\Run: [4678AC5E] C:\WINDOWS\system32\ATTLICO.exe
O4 - HKCU\..\Run: [E4980EE6] C:\WINDOWS\system32\DPTI3d1ab.exe
O4 - HKCU\..\Run: [8363D04B] C:\WINDOWS\system32\2dVTw32.exe
O4 - HKCU\..\Run: [1660DC5E] C:\WINDOWS\system32\DITL3rx.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [462CE0FE] C:\WINDOWS\system32\ILTcd.exe
O4 - HKCU\..\Run: [99B5CC5E] C:\WINDOWS\system32\DDCELdrt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: IEToolbarCab - http://www.dailytool...ailyToolbar.CAB
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.onlin...ler.com/cax.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#7
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please post your log in your own separate topic in the "Hijack This Logs" forum. It gets confusing when there are more than one problem in the same thread. :tazz:

-=jonnyrotten=- ;)
  • 0

#8
rstuebenjr

rstuebenjr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
After fixing the suggested in hijack and deleting the files in safe mode and rebooting, here is the my new log.

aaawebsearch appears to be gone.
Now http://69sexsearch.c...9790&qq=spyware is popping up along with http://sweet.porn-offer.info/us/

Any help would be greatly appreciated.

Thanks

Logfile of HijackThis v1.99.0
Scan saved at 8:14:58 AM, on 12/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\RUNDLL32.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctcaESK.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\stueben\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net/
R3 - URLSearchHook: (no name) - {CAB7C0BB-2CF2-A86F-E8E4-AAFE6B6E51CC} - C:\WINNT\system32\luPARSppm.exe (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmdk32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [87D51C03] C:\WINNT\system32\ctcaESK.exe
O4 - HKLM\..\Run: [A632D1EE] C:\WINNT\system32\ndsPOMpi.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [87D51C03] C:\WINNT\system32\ctcaESK.exe
O4 - HKCU\..\Run: [A632D1EE] C:\WINNT\system32\ndsPOMpi.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pcm: C:\Program Files\Internet Explorer\PLUGINS\NpCurMem.dll
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.nor...bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapweb.ops.pl...quicksilver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DCS Loader - Oki Data Corporation - C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R3 - URLSearchHook: (no name) - {CAB7C0BB-2CF2-A86F-E8E4-AAFE6B6E51CC} - C:\WINNT\system32\luPARSppm.exe (file missing)
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmdk32.exe
O4 - HKLM\..\Run: [87D51C03] C:\WINNT\system32\ctcaESK.exe
O4 - HKLM\..\Run: [A632D1EE] C:\WINNT\system32\ndsPOMpi.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKCU\..\Run: [87D51C03] C:\WINNT\system32\ctcaESK.exe
O4 - HKCU\..\Run: [A632D1EE] C:\WINNT\system32\ndsPOMpi.exe
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapweb.ops.pl...quicksilver.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\winnt\system32\kalvmdk32.exe
C:\WINNT\system32\ctcaESK.exe
C:\WINNT\system32\ndsPOMpi.exe
C:\Program Files\Windows ServeAd <- this folder
C:\WINNT\system32\ctcaESK.exe
C:\WINNT\system32\ndsPOMpi.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#10
Notanexpert

Notanexpert

    Member

  • Member
  • PipPip
  • 11 posts
Thanks Johnny..will do! :tazz:
  • 0

#11
rstuebenjr

rstuebenjr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is my revised log. Sorry it is so late (holidays etc.)
The laptop seems to be working fine.
Let me know if anything else needs to be done.

Thanks So Much
rstuebenjr

Logfile of HijackThis v1.99.0
Scan saved at 7:18:27 AM, on 12/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\stueben\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [87D51C03] C:\WINNT\system32\ctcaESK.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pcm: C:\Program Files\Internet Explorer\PLUGINS\NpCurMem.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.nor...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DCS Loader - Oki Data Corporation - C:\WINNT\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Leftover.


Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKCU\..\Run: [87D51C03] C:\WINNT\system32\ctcaESK.exe

After a reboot it should stay away.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP