Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

1800searchassistant

Started by invisiblekid , Oct 21 2005 12:14 PM

Please log in to reply

#1
invisiblekid

Posted 21 October 2005 - 12:14 PM

Member

Member
19 posts

Logfile of HijackThis v1.99.1
Scan saved at 10:20:27 AM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EE5A6F3B-84FC-8550-D107-FFADA9BF2290} - C:\WINDOWS\system32\yyqijn.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lwpkvmz] C:\WINDOWS\lwpkvmz.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [WinFixer2005] C:\Program Files\WinFixer2005\uwfx5.exe /scan
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103864666374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c5.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\rrched20.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#2
didom

Posted 22 October 2005 - 06:04 AM

Member 1K

Member
1,919 posts

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#3
invisiblekid

Posted 22 October 2005 - 12:55 PM

Member

Topic Starter
Member
19 posts

Hey I used to have it before it says that my trial has expired... I ran a new one but it says updates couldnt be made coz the subscription expired... I scanned it tho...

10:19 AM: |··· Start of Session, Saturday, 22 October 2005 ···|
10:19 AM: Spy Sweeper 3.0.0 (Build 129) started
10:20 AM: Updating spyware definitions
10:20 AM: Definitions can not be updated because subscription has expired.
10:21 AM: Updating spyware definitions
10:21 AM: Definitions can not be updated because subscription has expired.
10:22 AM: Updating spyware definitions
10:22 AM: Definitions can not be updated because subscription has expired.
10:22 AM: Sweep initiated using definitions version 365
10:22 AM: Sweeping memory for active spyware.
10:22 AM: Memory sweep has completed. Elapsed time 00:00:35
10:22 AM: Registry sweep initiated.
10:22 AM: Found: 2 Alexa Toolbar registry traces.
10:22 AM: Found: 53 Zango registry traces.
10:22 AM: Registry sweep completed. Elapsed time 00:00:43
10:22 AM: Full sweep on all local drives initiated.
10:22 AM: Now sweeping drive C:
10:24 AM: Found Cookie: AdKnowledge Cookie, version 1, c:\documents and settings\abc\cookies\abc@adknowledge[2].txt
10:24 AM: Found Cookie: Advertising Cookie, version 1, c:\documents and settings\abc\cookies\abc@advertising[2].txt
10:24 AM: Found Cookie: Atlas DMT Cookie, version 1, c:\documents and settings\abc\cookies\abc@atdmt[2].txt
10:24 AM: Found Cookie: Casalemedia Cookie, version 1, c:\documents and settings\abc\cookies\abc@casalemedia[1].txt
10:24 AM: Found Cookie: Doubleclick Cookie, version 1, c:\documents and settings\abc\cookies\abc@doubleclick[1].txt
10:24 AM: Found Cookie: Hitbox Cookie, version 1, c:\documents and settings\abc\cookies\[email protected][1].txt
10:24 AM: Found Cookie: Fastclick Cookie, version 1, c:\documents and settings\abc\cookies\abc@fastclick[1].txt
10:24 AM: Found Cookie: Hitbox Cookie, version 1, c:\documents and settings\abc\cookies\abc@hitbox[2].txt
10:24 AM: Found Cookie: Mediaplex Cookie, version 1, c:\documents and settings\abc\cookies\abc@mediaplex[1].txt
10:24 AM: Found Cookie: Overture Cookie, version 1, c:\documents and settings\abc\cookies\[email protected][1].txt
10:24 AM: Found Cookie: QuestionMarket Cookie, version 1, c:\documents and settings\abc\cookies\abc@questionmarket[1].txt
10:24 AM: Found Cookie: Realmedia Cookie, version 1, c:\documents and settings\abc\cookies\abc@realmedia[2].txt
10:24 AM: Found Cookie: Servedby Advertising Cookie, version 1, c:\documents and settings\abc\cookies\[email protected][2].txt
10:24 AM: Found Cookie: Trafficmp Cookie, version 1, c:\documents and settings\abc\cookies\abc@trafficmp[1].txt
10:24 AM: Found Cookie: Valueclick Cookie, version 1, c:\documents and settings\abc\cookies\abc@valueclick[2].txt
11:39 AM: Found: 15 file traces.
11:39 AM: Full Sweep has completed. Elapsed time 01:17:00
76,635 files swept
70 spyware traces located
11:52 AM: Removal process initiated
11:52 AM: Quarantining: AdKnowledge Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@adknowledge[2].txt
11:52 AM: Quarantining: Advertising Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@advertising[2].txt
11:52 AM: Quarantining: Alexa Toolbar
11:52 AM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\extensions\cmdmapping||{c95fe080-8f5d-11d2-a20b-00aa003c157a}
11:52 AM: Registry: HKEY_USERS\WRSS_Profile_cesar\software\microsoft\internet explorer\extensions\cmdmapping||{c95fe080-8f5d-11d2-a20b-00aa003c157a}
11:52 AM: Quarantining: Atlas DMT Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@atdmt[2].txt
11:52 AM: Quarantining: Casalemedia Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@casalemedia[1].txt
11:52 AM: Quarantining: Doubleclick Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@doubleclick[1].txt
11:52 AM: Quarantining: Fastclick Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@fastclick[1].txt
11:52 AM: Quarantining: Hitbox Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@hitbox[2].txt
11:52 AM: Cookie: c:\documents and settings\abc\cookies\[email protected][1].txt
11:52 AM: Quarantining: Mediaplex Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@mediaplex[1].txt
11:52 AM: Quarantining: Overture Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\[email protected][1].txt
11:52 AM: Quarantining: QuestionMarket Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@questionmarket[1].txt
11:52 AM: Quarantining: Realmedia Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@realmedia[2].txt
11:52 AM: Quarantining: Servedby Advertising Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\[email protected][2].txt
11:52 AM: Quarantining: Trafficmp Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@trafficmp[1].txt
11:52 AM: Quarantining: Valueclick Cookie
11:52 AM: Cookie: c:\documents and settings\abc\cookies\abc@valueclick[2].txt
11:52 AM: Quarantining: Zango
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\contains
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\downloadinformation
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\installedversion
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\contains\files
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}||installer
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}||systemcomponent
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\downloadinformation||codebase
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\downloadinformation||inf
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\installedversion||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\contains\files||c:\windows\downloaded program files\clientax.dll
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\control
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\progid
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\programmable
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\toolboxbitmap32
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\typelib
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\version
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\versionindependentprogid
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus\1
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32||threadingmodel
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\progid||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\toolboxbitmap32||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\typelib||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\version||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\versionindependentprogid||(-default-)
11:52 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus\1||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\control
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\progid
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\programmable
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\toolboxbitmap32
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\typelib
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\version
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\versionindependentprogid
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus\1
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32||threadingmodel
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\progid||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\toolboxbitmap32||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\typelib||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\version||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\versionindependentprogid||(-default-)
11:52 AM: Registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus\1||(-default-)
11:52 AM: Cleaning Traces
11:52 AM: Removing registry: HKEY_USERS\WRSS_Profile_cesar\software\microsoft\internet explorer\extensions\cmdmapping|| ({c95fe080-8f5d-11d2-a20b-00aa003c157a})
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\versionindependentprogid
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\version
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\typelib
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\toolboxbitmap32
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\programmable
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\progid
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus\1
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32|| (threadingmodel)
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\control
11:52 AM: Removing registry: HKEY_CLASSES_ROOT\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\installedversion
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\downloadinformation|| (inf)
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\downloadinformation|| (codebase)
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\downloadinformation
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\contains\files|| (c:\windows\downloaded program files\clientax.dll)
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\contains\files
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\contains
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}|| (systemcomponent)
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}|| (installer)
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\versionindependentprogid
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\version
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\typelib
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\toolboxbitmap32
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\programmable
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\progid
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus\1
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\miscstatus
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32|| (threadingmodel)
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\inprocserver32
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\control
11:52 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@valueclick[2].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@trafficmp[1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\[email protected][2].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@realmedia[2].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@questionmarket[1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\[email protected][1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@mediaplex[1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\[email protected][1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@hitbox[2].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@fastclick[1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@doubleclick[1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@casalemedia[1].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@atdmt[2].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@advertising[2].txt
11:52 AM: Removing file: c:\documents and settings\abc\cookies\abc@adknowledge[2].txt
11:52 AM: Removal process completed. Elapsed time 00:00:06
16 items (70 traces) quarantined.

#4
didom

Posted 22 October 2005 - 01:16 PM

Member 1K

Member
1,919 posts

Please post a fresh HijackThis log!

#5
invisiblekid

Posted 22 October 2005 - 02:13 PM

Member

Topic Starter
Member
19 posts

Logfile of HijackThis v1.99.1
Scan saved at 1:13:06 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EE5A6F3B-84FC-8550-D107-FFADA9BF2290} - C:\WINDOWS\system32\yyqijn.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lwpkvmz] C:\WINDOWS\lwpkvmz.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINDOWS\is-L048U.exe /REG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0025.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103864666374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c5.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\rrched20.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#6
didom

Posted 22 October 2005 - 02:21 PM

Member 1K

Member
1,919 posts

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Scan again with HijackThis and check the following items:
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {EE5A6F3B-84FC-8550-D107-FFADA9BF2290} - C:\WINDOWS\system32\yyqijn.dll (file missing)
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [lwpkvmz] C:\WINDOWS\lwpkvmz.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINDOWS\is-L048U.exe /REG
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\rrched20.dll (file missing)
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Reboot into normal mode.

Then, please run this online virus scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log and the Ewido log in your next reply.

---------------------------------------------

Make sure all hidden files and folders are visible (Instructions )

Please go to this site: http://virusscan.jotti.org/
On top you'll find "File to upload and scan".
Browse to the next file, submit it on that site and let it scan:

C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL

Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Folders and files with a tilde '~', means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

#7
invisiblekid

Posted 22 October 2005 - 09:30 PM

Member

Topic Starter
Member
19 posts

Incident Status Location

Adware:adware/exact.searchbar Reported C:\Documents and Settings\Abc\Local Settings\Temp\blank.gif
Adware:adware/ist.istbar Reported C:\Documents and Settings\Abc\Local Settings\Temp\shortcuts.txt
Adware:adware/bookedspace Reported C:\WINDOWS\cfgmgr52.ini
Spyware:spyware/cydoor Reported C:\WINDOWS\cdmxtras
Adware:adware/powerscan Reported Windows Registry
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Abc\Cookies\abc@adrevolver[1].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Abc\Cookies\abc@adrevolver[3].txt
Spyware:Cookie/Banner Reported C:\Documents and Settings\Abc\Cookies\abc@banner[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Cookies\abc@belnk[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Abc\Cookies\abc@doubleclick[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Abc\Cookies\abc@go[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Abc\Cookies\abc@hitbox[1].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Abc\Cookies\abc@realmedia[1].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Abc\Application Data\Mozilla\Firefox\Profiles\2afx8gez.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/bravenetA Reported C:\Documents and Settings\Abc\Application Data\Mozilla\Firefox\Profiles\2afx8gez.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Abc\Application Data\Mozilla\Firefox\Profiles\2afx8gez.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/bravenetA Reported C:\Documents and Settings\Abc\Application Data\Mozilla\Firefox\Profiles\2afx8gez.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Abc\Cookies\abc@adrevolver[1].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Abc\Cookies\abc@adrevolver[3].txt
Spyware:Cookie/Banner Reported C:\Documents and Settings\Abc\Cookies\abc@banner[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Cookies\abc@belnk[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Abc\Cookies\abc@doubleclick[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Abc\Cookies\abc@go[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Abc\Cookies\abc@hitbox[1].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Abc\Cookies\abc@realmedia[1].txt
Spyware:Cookie/Abcsearch Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@abcsearch[1].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@adrevolver[1].txt
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@adrevolver[2].txt
Spyware:Cookie/Apmebf Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@apmebf[2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@ask[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Azjmp Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@azjmp[2].txt
Spyware:Cookie/Banner Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@banner[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@belnk[2].txt
Spyware:Cookie/bravenetA Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@bravenet[1].txt
Spyware:Cookie/Cgi-bin Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@cgi-bin[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@go[1].txt
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Maxserving Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@maxserving[2].txt
Spyware:Cookie/OfferOptimizer Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@realmedia[1].txt
Spyware:Cookie/Reliablestats Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@zedo[1].txt
Spyware:Cookie/Hypercount Reported C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq14.tmp
Virus:Trj/Multidropper.TY Reported C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3B.tmp
Adware:Adware/WUpd Reported C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\O0H2C05T\prompt[1].php
Adware:Adware/WUpd Reported C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\WN3Z2C5P\count[1].htm
Spyware:Cookie/Ask Reported C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2037.txt
Adware:Adware/Transponder Reported C:\WINDOWS\system32\rrhvqlx.exe

Logfile of HijackThis v1.99.1
Scan saved at 8:29:29 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0025.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103864666374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c5.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:07:12 PM, 10/22/2005
+ Report-Checksum: F7D49A2E

+ Scan result:

HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID\\ -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1\CLSID\\ -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}\TypeLib\\ -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\TypeLib\\ -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}\TypeLib\\ -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}\TypeLib\\ -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542}\TypeLib\\ -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}\TypeLib\\ -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-725345543-1060284298-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410CDE-6F16-42CE-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Abc\Application Data\Mozilla\Profiles\default\db90df5t.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Abc\Application Data\Mozilla\Profiles\default\db90df5t.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Abc\Application Data\Mozilla\Profiles\default\db90df5t.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Abc\Application Data\Mozilla\Profiles\default\db90df5t.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Abc\Cookies\abc@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Application Data\Wildtangent\Cdacache\00\00\07.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][3].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\abc@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\Del27.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\ICD4.tmp\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temp\res28.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Abc\Local Settings\Temporary Internet Files\Content.IE5\QISKUV5X\SAcc.prod.v1112.05oct2005.exe[1].3ba72c661930662f21ed89952e0fec96 -> Spyware.SurfAccuracy : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq12.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq16.tmp -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq17.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq18.tmp -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1A.tmp -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1C.tmp -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq6.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqB.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqC.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqD.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqE.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF.tmp -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\45F02B59.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Program Files\WinFixer 2005 -> Spyware.WinFixer : Cleaned with backup
C:\RECYCLER\NPROTECT\00182665.DLL -> TrojanDownloader.IstBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2033.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2036.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2038.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2043.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2045.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2046.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2047.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2056.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2058.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1060284298-1202660629-1003\Dc2059.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\donetlib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ithlpapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\izagr5.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qhujko.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Temp\b.com -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4HEVK5IV\!update-2124[1].0000 -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\Temp\upd209.exe -> Spyware.Look2Me : Cleaned with backup

::Report End

IS THAT WHAT YOU WERE LOOKING FOR?.. ITS SO CONFUSING :'o

#8
didom

Posted 23 October 2005 - 04:55 AM

Member 1K

Member
1,919 posts

Good job, that was were I was looking for :tazz:

You only forgot to scan the file at Jotti (see Step #8)

Step #1

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CURRENT_USER\software\powerscan]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/pcpowerscan.exe\.owner]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/pcpowerscan.exe\{dc187740-46a9-11d5-a815-00b0d0428c0c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\power scan]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\power scan]
[-HKEY_LOCAL_MACHINE\software\powerscan]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Step #2

Download CCleaner and install it. (Please do not run the CCleaner utility yet.)

Step #3

We need to make sure all hidden files are showing so please:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Step #4

Reboot Your System in Safe Mode:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Step #5

Find and delete these files and folders (if they are still there):
C:\WINDOWS\cfgmgr52.ini <= this file
C:\WINDOWS\system32\rrhvqlx.exe <= this file

C:\WINDOWS\cdmxtras <= this folder

Step #6

While still in safe mode Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Reboot your computer normally.

Step #7

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

---------------------------------------------

Step #8

Make sure all hidden files and folders are visible (Instructions )

Please go to this site: http://virusscan.jotti.org/
On top you'll find "File to upload and scan".
Browse to the next file, submit it on that site and let it scan:

C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL

Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Folders and files with a tilde '~', means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Step #9

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#9
invisiblekid

Posted 24 October 2005 - 11:05 PM

Member

Topic Starter
Member
19 posts

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.dll
Adware:adware/powerscan No disinfected C:\Documents and Settings\Abc\Start Menu\Programs\Power Scan
Adware:adware/surfaccuracy No disinfected C:\PROGRAM FILES\SurfAccuracy
Adware:adware/cws No disinfected Windows Registry
Virus:Trj/Multidropper.TY Disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3B.tmp
Adware:Adware/WUpd No disinfected C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\O0H2C05T\prompt[1].php
Adware:Adware/WUpd No disinfected C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\WN3Z2C5P\count[1].htm
Adware:Adware/PowerScan No disinfected C:\Program Files\Power Scan\powerscan.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.dll

Logfile of HijackThis v1.99.1
Scan saved at 9:25:14 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...MARKETING32.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0025.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103864666374
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.co...006_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c5.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

File: COMCAS~1.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 aa846fc9b83084eec4f9d3dcf5b8e78e
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

hey im getting a lot of winfixer pop ups.. i dont know why

#10
didom

Posted 25 October 2005 - 09:40 AM

Member 1K

Member
1,919 posts

Please download the Killbox.
Please do NOT run it yet.

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
Once in Safe Mode, please delete this folders:
C:\Program Files\Power Scan
C:\PROGRAM FILES\SurfAccuracy
C:\Documents and Settings\Abc\Start Menu\Programs\Power Scan
Please run Killbox.
Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Program Files\Power Scan\powerscan.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\istactivex.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.

Find and delete this folder :
C:\!Killbox <= this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply. Also tell you how your computer is running!

#11
invisiblekid

Posted 25 October 2005 - 02:32 PM

Member

Topic Starter
Member
19 posts

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\PROGRAM FILES\ISTbar
Adware:adware/cws No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\O0H2C05T\prompt[1].php
Adware:Adware/WUpd No disinfected C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\WN3Z2C5P\count[1].htm

Logfile of HijackThis v1.99.1
Scan saved at 1:29:47 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...MARKETING32.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0025.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103864666374
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.co...006_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c5.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

IM GETTING A LOT OF POP UPS... BUT THE 1800ASSISTAN THING IS GONE.... IS MY COMPUTER OK NOW?

#12
didom

Posted 25 October 2005 - 02:35 PM

Member 1K

Member
1,919 posts

Step #1

We need to make sure all hidden files are showing so please:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Step #2

Reboot Your System in Safe Mode:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Step #3

Find and delete these files and folders (if they are still there):
C:\PROGRAM FILES\ISTbar <= this folder

Reboot your computer normally.

Step #4

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#13
invisiblekid

Posted 25 October 2005 - 08:27 PM

Member

Topic Starter
Member
19 posts

Incident Status Location

Adware:adware/cws No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\O0H2C05T\prompt[1].php
Adware:Adware/WUpd No disinfected C:\Documents and Settings\cesar\Local Settings\Temporary Internet Files\Content.IE5\WN3Z2C5P\count[1].htm

k well during the scan i got more than 100 norton virus alerts.. W32.pinfi... and im still getting them, they got on my nerves! ive gotten like 200 virus alerts.. the pop ups keep popping up saying the file has been repaired..

Logfile of HijackThis v1.99.1
Scan saved at 7:24:59 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...MARKETING32.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0025.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103864666374
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.co...006_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c5.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#14
didom

Posted 26 October 2005 - 09:11 AM

Member 1K

Member
1,919 posts

Please tell me the exact message from Norton (the file/infection name)

Edited by didom, 26 October 2005 - 09:11 AM.

#15
invisiblekid

Posted 26 October 2005 - 12:04 PM

Member

Topic Starter
Member
19 posts

it was troughout the whole scan I forgot :tazz:

.... Is cause while it was scanning i went to eat and took a shower and went to help do chores around the house.. when i came back i just clicked ok on all the norton windows that came out.. the only thing i remember that it says it was Win32.Pinfi has been repaired... hey i havent gotten any winfixer pop ups?