Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winfixer and other pop ups, ad nauseam [RESOLVED]


  • This topic is locked This topic is locked

#1
Middie042

Middie042

    Member

  • Member
  • PipPipPip
  • 382 posts
Thank for your help. HiJackThis Log below.


** moved hijackthis to own folder..................
Logfile of HijackThis v1.99.1
Scan saved at 11:57:25 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mllmj.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102137430687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\ETU7K1C1\cwshredder[1].exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by middie042, 03 November 2005 - 11:02 PM.

  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

Please print these instructions out or save them in notepad for use in Safe Mode.
(Start > Programs > Accessories > Notepad)

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\mllmj.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\jmllm.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mllmj.dll
    O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
    O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
thanks very much for time and help. had run programs as requested.

Logfile of HijackThis v1.99.1
Scan saved at 6:17:40 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\HIJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102137430687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\ETU7K1C1\cwshredder[1].exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Panda scan after all completed:

1-Click ActiveScan!
Installation finished

The next time, start ActiveScan with just one click!
1-Click ActiveScan!
The next time, start ActiveScan with just one click! Install the ActiveScan shortcut in:
Desktop
Start menu
Taskbar
Internet browser toolbar
1-Click ActiveScan! | Your Opinion - FAQs - Help No viruses or other malicious software have been found!Scan finished C:\WORKSSETUP\WBDBV32I.DLLScan reportSelect a device to scan...
My Computer
Local Disks
Floppy Disk
My Documents
Email
Other Media
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0

vundo text file

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

Activescan.txt
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\pmnlj.dll

The second filepath entered was c:\windows\system32\jlnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 164 'smss.exe'

Killing PID 784 'explorer.exe'
Killing PID 784 'explorer.exe'


Killing PID 236 'winlogon.exe'
Killing PID 236 'winlogon.exe'
--------------------------------------------------------------------------------------

c:\windows\system32\pmnlj.dll Deleted sucessfully.
c:\windows\system32\jlnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Had to run vundo twice, removing pmnlj the second run as it did not delete the first run. I had worked on this following other replies while awaiting your reply. Sure appears to be a lot of this malware out there.
How does this look? Really appreciate your help, am considering seriously to join geeks to go, how do you find it to be for you? Middie042
  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

Good job on knowing to run VundoFix a second time with your other variant of the vundo trojan.

Really appreciate your help, am considering seriously to join geeks to go, how do you find it to be for you?

I found GeekU to be a very rewarding experience for me. I'm sure you would, too. We also have some of the most helpful teachers around. :tazz:

Your log is clean, good job! :)

Here are some recommendations to keep it that way.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • 0

#5
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Thank you much. All of the suggestions were/are already done, but just added spywareblaster after joining this forum. Question, Norton AV wants it's Internet Worm Protection instead of Windows firewall. Your coment? ? I have used Windows firewall and Zonealarm in the past,. Thanks for your prompt and professional help. This is resolved successfully. I have my son's laptop which could use a review, should I post new thread or add to here ? Thank you!
  • 0

#6
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

I would allow Norton AV the benefit over windows firewall. I personally don't consider it much of a firewall though, it doesn't even block outgoing traffic. :tazz:

You can go ahead post the Hijackthis log from the laptop here if you want, so you don't have to wait in line again.

Also, the link to sign up for GeekU if you want is located Here.
  • 0

#7
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Great! Thank you. Here is the second laptop log.

Great! Thank you. Here is the second laptop log. Site is EXTREMELY sluggish........

Logfile of HijackThis v1.99.1
Scan saved at 9:56:53 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\6612.exe
C:\WINDOWS\system32\ktl3d11r.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zgktu\Evlkfr.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\system32\Ljhuty.exe
C:\WINDOWS\system32\Aaqeob.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\SECRET~1\secretsmiles.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.mymiami.muohio.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: MyQuickSearch Search Assistant BHO -
{04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program
Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL (file missing)
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program
Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97
Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program
Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio
Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator
6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD
Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ZoneEdit] C:\6612.exe
O4 - HKLM\..\Run: [ktl3d11r] C:\WINDOWS\system32\ktl3d11r.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media
Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Fwehjzw] C:\Program Files\Zgktu\Evlkfr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ljhuty.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Aaqeob.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SecretSmileys] C:\PROGRA~1\SECRET~1\ss.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK =
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program
Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O15 - Trusted Zone: *.muohio.edu
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windup.../bridge-c18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/...ro.cab34246.cab
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. -
C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates,
Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel
Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner -
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


is word wrap on, i though i had it off, ?

(( I do believe going back to ZoneAlarm may well be in order, thanks for input))


(( I do believe going back to ZoneAlarm may well be in order, thanks for input))

Edited by middie042, 06 November 2005 - 09:24 PM.

  • 0

#8
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Boy the site is slow, trying another HJT file, hopefully in good order. THis one NEEDs help. THANKS.
Logfile of HijackThis v1.99.1
Scan saved at 9:56:53 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\6612.exe
C:\WINDOWS\system32\ktl3d11r.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zgktu\Evlkfr.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\system32\Ljhuty.exe
C:\WINDOWS\system32\Aaqeob.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\SECRET~1\secretsmiles.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mymiami.muohio.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL (file missing)
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ZoneEdit] C:\6612.exe
O4 - HKLM\..\Run: [ktl3d11r] C:\WINDOWS\system32\ktl3d11r.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Fwehjzw] C:\Program Files\Zgktu\Evlkfr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ljhuty.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Aaqeob.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SecretSmileys] C:\PROGRA~1\SECRET~1\ss.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O15 - Trusted Zone: *.muohio.edu
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
  • 0

#9
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

Thanks for the new log w/out wordwrap. We are also aware of the forum problems, this is why it is taking so long to reply. :tazz:

Normally, I would have you run LSPFix first, then give you the rest of the instructions on my next post, but since you still have access to the forums on this computer, I'll bundle the instructions up.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of lspak.dll
  • Select every instance of lspak.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp! Reboot your computer into normal windows.

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#10
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
We are getting there, a few more to go I believe. Here is HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:53 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\6612.exe
C:\WINDOWS\system32\ktl3d11r.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Zgktu\Evlkfr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\system32\Aaqeob.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\SECRET~1\secretsmiles.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mymiami.muohio.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL (file missing)
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ZoneEdit] C:\6612.exe
O4 - HKLM\..\Run: [ktl3d11r] C:\WINDOWS\system32\ktl3d11r.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Fwehjzw] C:\Program Files\Zgktu\Evlkfr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ljhuty.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Aaqeob.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SecretSmileys] C:\PROGRA~1\SECRET~1\ss.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.muohio.edu
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

Here is Buster Log:

AboutBuster 5.1, reference file 32
Scan started on [11/6/2005] at [11:13:06 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:14:03 PM


AboutBuster 5.1, reference file 32
Scan started on [11/6/2005] at [11:17:35 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:18:34 PM

RubberDuckY did not report or ask about any alternate data streams or give obvious options. Hopefully it
ran correctly.
CW Shrredder only reported one fix. No log. What next, Doc? Thanks...............
  • 0

Advertisements


#11
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

It looks as thought ABout:Buster didn't work right, almost nothing in this log has changed.

Please open Hijackthis, scan, and place a checkmark by the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL (file missing)
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [ZoneEdit] C:\6612.exe
O4 - HKLM\..\Run: [ktl3d11r] C:\WINDOWS\system32\ktl3d11r.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Fwehjzw] C:\Program Files\Zgktu\Evlkfr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ljhuty.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Aaqeob.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab


Close all open windows/browsers and click Fix Checked.

Please reboot into safe mode by tapping F8 as your computer starts to boot up.

Once in safe mode remove the following programs from Add/Remove
(Start > Settings > Control Panel > Add/Remove Programs)

Media Gateway
SurfAccuracy
DealHelper
MyQuickSearch
AutoUpdater


Not all of those may show up in add/remove.

Please show Hidden Files and Folders

Delete the following files/folders:

C:\Program Files\WebSavings_from_Ebates
C:\WINDOWS\system32\Aaqeob.exe
C:\WINDOWS\system32\Ljhuty.exe
C:\Program Files\AutoUpdate
C:\Program Files\SurfAccuracy
C:\Program Files\Media Gateway
C:\Program Files\Zgktu
C:\WINDOWS\system32\ktl3d11r.exe
C:\Program Files\MyQuickSearch
C:\6612.exe

Please reboot into Normal Mode.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please reply with the Kaspersky log, and a new Hijackthis log.
  • 0

#12
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Looks like we got some work to do. Note that there was no DealHelper in programs, but did notice a D-helper Web Driver in the add/remove programs. Did not remove it. Couple others not present, and MyQuickSearch would not delete-returned stop error message, could not find specified module- one that we removed in prior HJT fix process, I believe. Also, with every shutdown, get a wait while program closes box-SAMPLE which takes a few seconds longer to close (as an FYI). Here we go with logs.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, November 07, 2005 20:29:36
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/11/2005
Kaspersky Anti-Virus database records: 158740
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58675
Number of viruses found: 53
Number of infected objects: 146
Number of suspicious objects: 6
Duration of the scan process: 4551 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc1.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc1.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Andrew\Local Settings\Temp\installer.exe Infected: Trojan-Dropper.Win32.PurityScan.q
C:\Documents and Settings\Andrew\mt-uninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\Documents and Settings\Andrew\mt-uninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\Program Files\ProSiteFinder\prositefinder.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aa
C:\RECYCLER\S-1-5-21-3028300340-1542900787-4098053600-500\Dc1.exe Infected: Trojan-Dropper.Win32.Agent.mm
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP100\A0005578.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP100\A0005579.exe Infected: Trojan-Downloader.Win32.IstBar.ij
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP101\A0005588.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP101\A0005673.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP102\A0005690.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP102\A0005705.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP102\A0005745.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP102\A0005762.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP103\A0005778.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP104\A0005823.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP106\A0005879.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP107\A0005882.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP108\A0005918.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP109\A0005944.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP109\A0005972.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP110\A0006004.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP111\A0006034.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP112\A0006064.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP113\A0006097.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP114\A0006124.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP116\A0006150.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP118\A0006212.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP119\A0006236.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP119\A0006266.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP121\A0006284.dll Infected: not-a-virus:AdWare.Win32.DealHelper.ab
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP122\A0006306.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP122\A0006310.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP122\A0006310.exe Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP122\A0006363.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP123\A0006376.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP124\A0006420.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP125\A0006471.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP126\A0006492.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP127\A0006517.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP129\A0006544.dll Infected: not-a-virus:AdWare.Win32.Sahat.ad
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP129\A0006545.exe Infected: not-a-virus:AdWare.Win32.Sahat.ah
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP129\A0006548.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP130\A0006589.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP130\A0006637.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP131\A0006653.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP132\A0006657.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP133\A0006684.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP134\A0006710.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP135\A0006729.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP137\A0006748.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP138\A0006752.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP139\A0006770.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP140\A0006795.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP141\A0006966.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP142\A0006987.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP143\A0007003.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP144\A0007024.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP144\A0007043.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP145\A0007055.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP145\A0007073.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP146\A0007075.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP146\A0007092.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP147\A0007110.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP148\A0007133.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP148\A0007149.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP149\A0008154.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP150\A0008177.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP151\A0008184.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP152\A0008211.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP154\A0008233.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP155\A0008240.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP156\A0008260.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP157\A0008281.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP158\A0008289.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP158\A0008302.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP159\A0008323.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP159\A0009041.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP159\A0009041.exe Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP160\A0009050.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.c
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP160\A0009052.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP161\A0009079.exe Infected: not-a-virus:AdWare.Win32.WinAD.bf
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP161\A0009082.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP161\A0009084.exe Infected: not-a-virus:AdWare.Win32.DealHelper.ac
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP161\A0009085.exe Infected: not-a-virus:AdWare.Win32.Sahat.ai
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP94\A0005140.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP95\A0005230.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP96\A0005244.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP96\A0005257.exe Infected: not-a-virus:AdWare.Win32.180Solutions
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP96\A0005258.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005357.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005486.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005516.exe Infected: not-a-virus:AdWare.Win32.WebRebates.b
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005517.exe Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005518.exe Infected: not-a-virus:AdWare.Win32.WebRebates.b
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005520.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.j
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005521.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.j
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005522.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.j
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005523.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005524.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005525.exe Infected: Trojan-Downloader.Win32.Dyfuca.de
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005526.exe Infected: Trojan-Downloader.Win32.Dyfuca.de
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005527.dll Infected: not-a-virus:AdWare.Win32.180Solutions.j
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP98\A0005529.exe Infected: not-a-virus:AdWare.Win32.180Solutions.g
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005535.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005538.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005539.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005540.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005541.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005542.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005544.exe Infected: not-a-virus:AdWare.Win32.PowerScan.d
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005546.dll Infected: not-a-virus:AdWare.Win32.SideFind
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005547.dll Infected: not-a-virus:AdWare.Win32.SideFind
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005548.exe Infected: Trojan-Downloader.Win32.IstBar.jm
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005550.dll Infected: Trojan-Downloader.Win32.IstBar.ms
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005551.dll Infected: not-a-virus:AdWare.Win32.DealHelper.ab
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005552.exe Infected: not-a-virus:AdWare.Win32.WebRebates.k
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005553.exe Infected: not-a-virus:AdWare.Win32.WebRebates.k
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005554.exe Infected: not-a-virus:AdWare.Win32.WebRebates.o
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005555.dll Infected: not-a-virus:AdWare.Win32.WebRebates.n
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005556.exe Infected: not-a-virus:AdWare.Win32.WebRebates.n
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005562.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005564.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005565.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005566.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5EEA947E-90E9-4013-91A6-F28EFECABD28}\RP99\A0005567.exe Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll Infected: not-a-virus:AdWare.Win32.Gator.1019
C:\WINDOWS\Downloaded Program Files\DS3.dll Infected: Trojan-Downloader.Win32.Lookme.a
C:\WINDOWS\extract.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c
C:\WINDOWS\extract.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g
C:\WINDOWS\extract.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g
C:\WINDOWS\iconz3.exe Infected: not-a-virus:AdWare.Win32.Zestyfind
C:\WINDOWS\msbbi.exe/msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions
C:\WINDOWS\msbbi.exe Infected: not-a-virus:AdWare.Win32.180Solutions
C:\WINDOWS\mt-uninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\WINDOWS\mt-uninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.u
C:\WINDOWS\system\UpdInstall.exe Infected: not-a-virus:AdWare.Win32.Look2Me
C:\WINDOWS\system32\coreak.dll Infected: not-a-virus:AdWare.Win32.Coreak
C:\WINDOWS\system32\Cwwirs.exe Infected: not-a-virus:AdWare.Win32.DealHelper.ad
C:\WINDOWS\system32\dun.exe Infected: not-a-virus:AdWare.Win32.DealHelper.x
C:\WINDOWS\system32\f504an59.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINDOWS\system32\ll90ks5q.exe Infected: not-a-virus:AdWare.Win32.Sahat.f
C:\WINDOWS\system32\lspak.dll Infected: Trojan-Downloader.Win32.Agent.br
C:\WINDOWS\system32\psnrunas.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\system32\rulesak.dll Infected: Trojan-Downloader.Win32.Agent.bt
C:\WINDOWS\system32\updak.dll Infected: Trojan-Downloader.Win32.Agent.br
C:\WINDOWS\wsem303.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt

Scan process completed.
>>>>>>>>>>>>>>>>>>>
HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:30:45 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\Zfgopl.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\PROGRA~1\SECRET~1\run.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mymiami.muohio.edu/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ZoneEdit] C:\6612.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Zfgopl.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SecretSmileys] C:\PROGRA~1\SECRET~1\ss.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.muohio.edu
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

Much thanks are in order, as this looks like a head ache! I do have newer copy of NAV-would uninstall of McAfee and installatioin of NAV really accomplish anything? Thank you. Middie042
  • 0

#13
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

We do have some work to do, but we are getting there, rest assured. :tazz:

Please open Hijackthis, scan, and place a checkmark by the following entries:

O4 - HKLM\..\Run: [ZoneEdit] C:\6612.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Zfgopl.exe


Close ALL open windows/browsers and click Fix Checked.

We will also need to clear your system restore points.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

1) After that please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please uninstall D-helper Web Driver

4) Then run Killbox.

5) Select "Delete on Reboot".

6) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch.zip
C:\Documents and Settings\Andrew\Local Settings\Temp\installer.exe
C:\Documents and Settings\Andrew\mt-uninstaller.exe
C:\Program Files\ProSiteFinder\prositefinder.exe
C:\RECYCLER\S-1-5-21-3028300340-1542900787-4098053600-500\Dc1.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\DS3.dll
C:\WINDOWS\extract.exe
C:\WINDOWS\iconz3.exe
C:\WINDOWS\msbbi.exe
C:\WINDOWS\mt-uninstaller.exe
C:\WINDOWS\system\UpdInstall.exe
C:\WINDOWS\system32\coreak.dll
C:\WINDOWS\system32\Cwwirs.exe
C:\WINDOWS\system32\dun.exe
C:\WINDOWS\system32\f504an59.ini
C:\WINDOWS\system32\ll90ks5q.exe
C:\WINDOWS\system32\lspak.dll
C:\WINDOWS\system32\psnrunas.dll
C:\WINDOWS\system32\rulesak.dll
C:\WINDOWS\system32\updak.dll
C:\WINDOWS\wsem303.dll
C:\WINDOWS\system32\Zfgopl.exe
C:\6612.exe


7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

8) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Then let's run a scan with Ewido to pick up the remaining remnants.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Please post back the Ewido log and a new Hijackthis log.
  • 0

#14
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Here we go. I posted last night, but it must have been lost in the shuffle. If posts twice you will know why. There is a WIN-dh listing in the add/remove which has the same icon as a few of the other nasties we removed. Left it, but I do suspect it. Thanks for assistance, and the learning experience.

EWIDO log:....

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:31:01 PM, 11/7/2005
+ Report-Checksum: 1422EB5C

+ Scan result:

HKLM\SOFTWARE\180solutions -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0E677229-E309-4341-81BD-3CC3018BF5B3} -> Spyware.MyQuickSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\dealhelper -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\dealhelper\KeyWord -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\msbb -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\dsktb -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\dsktb\DesktopToolbar -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp\Config\button0 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp\Config\button1 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp\Config\button2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp\Config\button3 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E677229-E309-4341-81BD-3CC3018BF5B3} -> Spyware.MyQuickSearch : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04011C11-2F3B-44ED-977C-270CA669C6B2} -> Spyware.MyQuickSearch : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E677221-E309-4341-81BD-3CC3018BF5B3} -> Spyware.MyQuickSearch : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\msbb -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006\Software\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-3028300340-1542900787-4098053600-1006_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaning
C:\Documents and Settings\Andrew\Cookies\andrew@hotlog[1].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Andrew\Cookies\andrew@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Andrew\Cookies\andrew@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Andrew\Local Settings\Temp\installer.exe -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\CX6ZOHIV\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Andrew\mt-uninstaller.exe -> Spyware.PurityScan.u : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\ProSiteFinder\prositefinder.exe -> Spyware.ClearSearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\DS3.dll -> TrojanDownloader.Lookme.a : Cleaned with backup
C:\WINDOWS\extract.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\iconz3.exe -> Spyware.Zestyfind : Cleaned with backup
C:\WINDOWS\msbbi.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\mt-uninstaller.exe -> Spyware.PurityScan.u : Cleaned with backup
C:\WINDOWS\system\UpdInstall.exe -> Spyware.VX2 : Cleaned with backup
C:\WINDOWS\system32\coreak.dll -> Spyware.Coreak : Cleaned with backup
C:\WINDOWS\system32\Cwwirs.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\dun.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\ll90ks5q.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\lspak.dll -> TrojanDownloader.Agent.br : Cleaned with backup
C:\WINDOWS\system32\rulesak.dll -> TrojanDownloader.Agent.bt : Cleaned with backup
C:\WINDOWS\system32\updak.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt : Cleaned with backup


::Report End

Here is HJT log:....

Logfile of HijackThis v1.99.1
Scan saved at 11:33:33 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\PROGRA~1\SECRET~1\run.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mymiami.muohio.edu/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SecretSmileys] C:\PROGRA~1\SECRET~1\ss.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.muohio.edu
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

Still getting a few pop ups, like winantivirus 2006, and a search box........... Looking forward to you reply. THANK YOU> middie042
  • 0

#15
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

Your Hijackthis log is clean now, so let's dig deeper.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Please also RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

And finally, Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

So I need Four logs in total. The SpySweeper log, the Silent Runners log, the WinPFind log, and the Uninstall List.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP