Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

URGENT HELP NEEDED VERY IMPORTANT [RESOLVED]


  • This topic is locked This topic is locked

#1
jaimen

jaimen

    banned

  • Banned
  • PipPip
  • 84 posts
On my desktop my background have been replaced with a sign that says SPYWARE INFECTION your system with infected with spy ware. Windows recommends you to use a spy ware removal tool to prevent loss of important data and to increase system performance. Using this pc because having it cleaned from spy ware is highly discourage what am I suppose to do to fix this problem can someone please look at my HJT log and tell me if its clean and what to do please and thank you

Logfile of HijackThis v1.99.1
Scan saved at 10:47:21 AM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
c:\winnt\temp\1C2.tmp
C:\WINDOWS\netrl32.exe
C:\WINDOWS\crhy32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
c:\winnt\temp\1C5.tmp
c:\winnt\temp\1C6.tmp
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Class - {E29E0ADF-144A-0633-9FF6-E70874A6E182} - C:\WINDOWS\winjr.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [crhy32.exe] C:\WINDOWS\crhy32.exe
O4 - HKLM\..\Run: [1C5.tmp] c:\winnt\temp\1C5.tmp.exe
O4 - HKLM\..\Run: [1C6.tmp] c:\winnt\temp\1C6.tmp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Windows.hta
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104451058202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128303306358
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netrl32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Edited by jaimen, 23 November 2005 - 06:50 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I see you already have Ewido installed.
Please open up Ewido and check for updates.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Delete your temp files
  • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.


Now open up Ewido.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido.
  • 0

#3
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:03:16 PM, 11/23/2005
+ Report-Checksum: 376D0130

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}\TypeLib\\ -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}\TypeLib\\ -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\ISTsvc\history -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\SideFind -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\IST -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2387590086-284587905-4097411637-1008\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
[160] C:\WINDOWS\System32\fkrml.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\All Users\Desktop\Read It NOW!!!.hta -> TrojanDropper.Inor.cj : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Windows.hta -> TrojanDropper.Inor.cj : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@data4.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Erwin\Cookies\erwin@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@217.73.66[2].txt -> Spyware.Cookie.217.73.66.16 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@adbrite[2].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@banner.casinolasvegas[2].txt -> Spyware.Cookie.Casinolasvegas : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@bookspan.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@buildabear.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@casinolasvegas[1].txt -> Spyware.Cookie.Casinolasvegas : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter13.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter15.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter16.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter3.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter8.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@counter9.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wfk4agcpkco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wfk4qncpeep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wfkikkajcao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wfkykicjehp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wfmykldjkbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wgkyaoczado.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wjkyoldpcgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wjl4egcjccq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wjliepcpmeq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wjloshdjwao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wjlowodpgko.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
-> : Error during cleaning
C:\Documents and Settings\Jay\Cookies\jay@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@efashionsolutions.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-bestbuy.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-cafepress.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-clearchannel.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-comcast.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-communityconnect.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-consumerenergyco.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-darden.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-fredericks.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-hitent.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-knightridder.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-olympus.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-proflowers.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-rr.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@ehg-tigerdirect2.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@entrepreneur.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@internetfuel[1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@marthastewart.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@offers.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@phg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@spinbox[2].txt -> Spyware.Cookie.Spinbox : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@trafic[1].txt -> Spyware.Cookie.Trafic : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@twci.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@valueclick[3].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@vegasred[1].txt -> Spyware.Cookie.Vegasred : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@view.atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@weborama[1].txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@www.adtrak[2].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@www.michiganlottery.com.19780.fb.dbbsrv[2].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@www.popuptraffic[1].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@www.sidefind[2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@xxxcounter[2].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Internet Files\Content.IE5\RY15FO8K\mtrslib2[1].js -> TrojanDownloader.Small.ag : Cleaned with backup
C:\Documents and Settings\Jay\Start Menu\Programs\Power Scan -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\Jay\Start Menu\Programs\Power Scan\Power Scan.lnk -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\RADIOSHACK6343\gogotools.exe/SilentInstallW32.exe -> Spyware.GogoTools : Error during cleaning
C:\ntdetect.hta -> TrojanDropper.Inor.cj : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\ISTsvc -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\ISTsvc\istsvc.exe -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\Power Scan -> Spyware.PowerScan : Cleaned with backup
C:\Program Files\Power Scan\powerscan.exe -> Spyware.PowerScan : Cleaned with backup
C:\Program Files\Power Scan\uninstall.exe -> Spyware.PowerScan : Cleaned with backup
C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base001.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base002.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur000.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur001.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur002.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur003.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\WINDOWS\system32\Cache\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Error during cleaning
C:\WINDOWS\system32\Cache\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Error during cleaning
C:\WINDOWS\Tqvmyjmv.nhr:owaiup -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\Txebrqzhn.lka:gxtvor -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Error during cleaning
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Error during cleaning
C:\winnt\temp\42E.tmp -> Spyware.Hijacker.Generic : Cleaned with backup
C:\winnt\temp\431.tmp -> Not-A-Virus.Hoax.SpyWare.a : Cleaned with backup
C:\winnt\temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup


::Report End
  • 0

#4
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:34:15 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
c:\winnt\temp\1C2.tmp
C:\WINDOWS\netrl32.exe
C:\WINDOWS\crhy32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
c:\winnt\temp\1C5.tmp
c:\winnt\temp\1C6.tmp
C:\Documents and Settings\Jay\My Documents\LimeWire\LimeWire.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Class - {E29E0ADF-144A-0633-9FF6-E70874A6E182} - C:\WINDOWS\winjr.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [crhy32.exe] C:\WINDOWS\crhy32.exe
O4 - HKLM\..\Run: [1C5.tmp] c:\winnt\temp\1C5.tmp.exe
O4 - HKLM\..\Run: [1C6.tmp] c:\winnt\temp\1C6.tmp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104451058202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128303306358
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netrl32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#5
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ohrlk.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {E29E0ADF-144A-0633-9FF6-E70874A6E182} - C:\WINDOWS\winjr.dll
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [crhy32.exe] C:\WINDOWS\crhy32.exe
    O4 - HKLM\..\Run: [1C5.tmp] c:\winnt\temp\1C5.tmp.exe
    O4 - HKLM\..\Run: [1C6.tmp] c:\winnt\temp\1C6.tmp.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O20 - Winlogon Notify: style32 - C:\WINDOWS\
    O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netrl32.exe



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\WINDOWS\system32\ohrlk.dll
    C:\WINDOWS\winjr.dll
    C:\WINDOWS\netrl32.exe
    C:\WINDOWS\crhy32.exe
    C:\winstall.exe
    windir32.exe <-- search for this file
    C:\Program Files\ISTsvc <-- delete this folder


  • Delete everything from within this folder.

    c:\winnt\temp
Reboot your computer to go back to normal mode.


Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • You may need to disable your antivirus program while this scan runs.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
  • Make sure to reenable your antivirus program if you disabled it.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#6
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
Incident Status Location

Adware:Adware/SearchTheWeb Not disinfected C:\Documents and Settings\All Users\Application Data\msw\BMan.exe
Adware:Adware/SearchTheWeb Not disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Adware:adware/iedriver Not disinfected C:\Documents and Settings\Jay\Favorites\Get out of Debt!.url
Adware:adware/searchaid Not disinfected C:\Documents and Settings\Jay\Favorites\Only sex website.url
Adware:adware/weirdontheweb Not disinfected C:\Documents and Settings\Jay\Favorites\WeirdOnTheWeb.url
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Internet Files\Content.IE5\4DEZ8PYF\archive1213[1].jar[Dummy.class]
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Internet Files\Content.IE5\NCFSCU1Z\main[1].htm
Virus:Exploit/LoadImage Not disinfected C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Internet Files\Content.IE5\PYJ1DQOI\full[1].anr
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Jay\Local Settings\Temporary Internet Files\Ssk.log
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Jay\mc-110-12-0000080.exe
Adware:Adware/eZula Not disinfected C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\TopText iLookup\My Keywords.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\TopText iLookup\My Preferences.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\TopText iLookup\TopText Button Show - Hide.lnk
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\fzzk\fzzkd\fzzkc.dll
Adware:Adware/FlashTrack Not disinfected C:\Program Files\Common Files\Java\ftkclean.exe
Adware:adware/maxifiles Not disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/FlashTrack Not disinfected C:\Program Files\Ftk\ftkclean.exe
Adware:Adware/FlashTrack Not disinfected C:\Program Files\Ftk\Ftkcpy_inst.exe
Adware:Adware/Thecoolbar Not disinfected C:\Program Files\FwBarTemp\cohelper.exe
Virus:Trj/Downloader.DYX Not disinfected C:\Program Files\HJT\backups\backup-20051004-220253-314.dll
Adware:Adware/Mirar Not disinfected C:\Program Files\HJT\backups\backup-20051004-220253-746.dll
Adware:Adware/WebHancer Not disinfected C:\Program Files\HJT\backups\backup-20051004-220253-948.dll
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\HJT\backups\backup-20051004-220303-783.inf
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\HJT\backups\backup-20051004-220305-425.inf
Dialer:Dialer.OK Not disinfected C:\Program Files\HJT\backups\backup-20051004-220308-234.inf
Adware:Adware/SearchAid Not disinfected C:\Program Files\Internet Explorer\iegjujgh.exe
Adware:Adware/SearchAid Not disinfected C:\Program Files\Internet Explorer\mzemjoyi.exe
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Pass\MediaPass.exe
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\TVSv2.dll
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\tvs_clean.exe
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\tvs_ln.exe
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\tvs_re_inst.exe
Adware:Adware/Prositefinder Not disinfected C:\Program Files\vcy1nd6a\12620363.exe
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\vcy1nd6a\2aby5f1v.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\vcy1nd6a\47p8bkn9.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\vcy1nd6a\b7wzlcna.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\vcy1nd6a\llyjk9c0.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\vcy1nd6a\swjb0619.DLL
Adware:Adware/Prositefinder Not disinfected C:\Program Files\vcy1nd6a\zdi2oblz.DLL
Adware:Adware/WebHancer Not disinfected C:\Program Files\whInstall\whAgent.inf
Adware:Adware/SearchAid Not disinfected C:\RECYCLER\S-1-5-21-2387590086-284587905-4097411637-1008\Dc512.dll
Adware:Adware/IST.ISTBar Not disinfected C:\RECYCLER\S-1-5-21-2387590086-284587905-4097411637-1008\Dc513\__delete_on_reboot__istsvc.exe
Virus:W32/Gaobot.KSI.worm Not disinfected C:\RECYCLER\S-1-5-21-2387590086-284587905-4097411637-1008\Dc514.exe
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\bs7beta.exe
Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\bsx32.ini
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\d3of.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\d3re.exe
Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\desktop.html
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\Downloaded Program Files\mzemjoyi.exe
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\eaiwffsx.dll
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\EliteToolBar\xml\categories\drugs.mnu
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\EliteToolBar\xml\categories\fav.mnu
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\EliteToolBar\xml\default.tbr
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\casino-ico.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\dating-ico.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs-ico.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\fav-ico.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\EliteToolBar\xml\search.mnu
Adware:adware/ipinsight Not disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\fluezxna.dll
Adware:adware/wintools Not disinfected C:\WINDOWS\hisistheurls.exe
Virus:Trj/VB.CF Not disinfected C:\WINDOWS\IEXPLOR.EXE
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\banner.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\inf\Pynix.inf
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\jvlxhvjw.dll
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\muuqordm.dll
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\ngujolgz.dll
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\swmaftle.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:adware program Not disinfected C:\WINDOWS\system32\atmtd.dll
Spyware:Spyware/Apropos Not disinfected C:\WINDOWS\system32\auto_update_uninstall.log
Virus:Trj/Downloader.DYX Not disinfected C:\WINDOWS\system32\browsewn.dll
Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\Cache\180SAInstaller.exe
Virus:Trj/TSUpdate.A Not disinfected C:\WINDOWS\system32\Cache\AMEX_54.exe
Virus:Trj/Multidropper.UO Not disinfected C:\WINDOWS\system32\Cache\Kyongju.exe
Adware:adware/searchtheweb Not disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Spyware:Spyware/ShhhToolbar Not disinfected C:\WINDOWS\system32\Cache\runsearch.exe
Spyware:Spyware/UrlSpy Not disinfected C:\WINDOWS\system32\Cache\setup1015.exe
Virus:Trj/Downloader.BJF Not disinfected C:\WINDOWS\system32\Cache\skh2.exe
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\system32\Cache\ucmoreiex.exe
Virus:Trj/Downloader.BJI Not disinfected C:\WINDOWS\system32\Cache\VCMnet7 updated 030905.exe
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe
Adware:Adware/VirtualBouncer Not disinfected C:\WINDOWS\system32\Cache\wrapperouter.exe
Adware:adware/alwaysupdatednewsNot disinfected C:\WINDOWS\system32\Free LapTop Computer.ico
Adware:adware/navipromo Not disinfected C:\WINDOWS\system32\hozvpqwlc_navps.dat
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:adware/hotoffers Not disinfected C:\WINDOWS\system32\Inkline Global PC tuneup.ico
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\InstallerV4.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\iphi32.exe
Adware:Adware/Hotoffers Not disinfected C:\WINDOWS\system32\msodae.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\system32\nssA6.dll
Adware:Adware/ILookup Not disinfected C:\WINDOWS\system32\rtneg.dll
Adware:adware/ncase Not disinfected C:\WINDOWS\system32\saie.log
Adware:adware/powersearch Not disinfected C:\WINDOWS\system32\stlb2.xml
Adware:adware/sqwire Not disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:adware/portalscan Not disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\__delete_on_reboot__fkrml.dll
Adware:Adware/Imibar Not disinfected C:\WINDOWS\ttext.dll
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\ucmoreiex.exe
Adware:adware/upspiralbar Not disinfected C:\WINDOWS\unist2.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\unstall.exe
Spyware:spyware/adclicker Not disinfected C:\WINDOWS\usta32.ini
Adware:adware/afaenhance Not disinfected C:\WINDOWS\VCMnet11.exe
Adware:Adware/Weirdontheweb Not disinfected C:\WINDOWS\weirdontheweb_topc.exe
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\wkhhqopc.dll
Adware:Adware/StartPage.AHW Not disinfected C:\WINDOWS\zrjtivwa.dll
Adware:Adware/SpywareNo Not disinfected C:\winnt\temp\1C2.tmp
Dialer:Dialer.DNA Not disinfected C:\winnt\temp\1C7.tmp
Adware:Adware/SurfAccuracy Not disinfected C:\winnt\temp\uninstall.exe
Adware:Adware/SearchAid Not disinfected C:\winnt\temp\win1C0.tmp.exe
Adware:Adware/SearchAid Not disinfected C:\winnt\temp\win1C1.tmp.exe
Adware:Adware/SearchAid Not disinfected C:\winnt\temp\win24E.tmp.exe
Adware:Adware/SearchAid Not disinfected C:\winnt\temp\win42D.tmp.exe
Adware:Adware/SpywareNo Not disinfected C:\winstall.exe
  • 0

#7
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:09:42 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
c:\winnt\temp\1C2.tmp
C:\WINDOWS\netrl32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
c:\winnt\temp\1C5.tmp
c:\winnt\temp\1C6.tmp
C:\Documents and Settings\Jay\My Documents\LimeWire\LimeWire.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=2c02&lc=0409
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Class - {775E7EE2-3A20-6839-8BF8-42DB066E09CE} - C:\WINDOWS\system32\mfctk32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104451058202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128303306358
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netrl32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You're still infected with HSA.

We are going to need some tools to remove this infection. Please download, install, and update any of these programs that you don't already have. Do not run any of them yet.Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • For more info on how to show hidden files click here.

If you have problems with any of these steps make a note of the problem and then continue on to the next step. Let me know of any problems in your next reply. Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.

Please print out these instructions.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============

Once in Safe mode follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netrl32.exe

  • Delete these files.

    C:\Documents and Settings\All Users\Application Data\msw\BMan.exe
    C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
    C:\Documents and Settings\Jay\Favorites\Get out of Debt!.url
    C:\Documents and Settings\Jay\Favorites\Only sex website.url
    C:\Documents and Settings\Jay\Favorites\WeirdOnTheWeb.url
    C:\Documents and Settings\Jay\mc-110-12-0000080.exe
    C:\Program Files\Common Files\Java\ftkclean.exe
    C:\Program Files\Common Files\system32.dll
    C:\Program Files\Internet Explorer\iegjujgh.exe
    C:\Program Files\Internet Explorer\mzemjoyi.exe
    C:\WINDOWS\bs7beta.exe
    C:\WINDOWS\bsx32.ini
    C:\WINDOWS\cfgmgr52.ini
    C:\WINDOWS\d3of.exe
    C:\WINDOWS\d3re.exe
    C:\WINDOWS\desktop.html
    C:\WINDOWS\Downloaded Program Files\mzemjoyi.exe
    C:\WINDOWS\eaiwffsx.dll
    C:\WINDOWS\farmmext.ini
    C:\WINDOWS\fluezxna.dll
    C:\WINDOWS\hisistheurls.exe
    C:\WINDOWS\IEXPLOR.EXE
    C:\WINDOWS\inf\banner.inf
    C:\WINDOWS\inf\ceres.inf
    C:\WINDOWS\inf\farmmext.inf
    C:\WINDOWS\inf\Pynix.inf
    C:\WINDOWS\jvlxhvjw.dll
    C:\WINDOWS\muuqordm.dll
    C:\WINDOWS\ngujolgz.dll
    C:\WINDOWS\swmaftle.dll
    C:\WINDOWS\netrl32.exe
    C:\WINDOWS\system\QBUninstaller.exe
    C:\WINDOWS\system32\atmtd.dll
    C:\WINDOWS\system32\auto_update_uninstall.log
    C:\WINDOWS\system32\browsewn.dll
    C:\WINDOWS\system32\Cache\180SAInstaller.exe
    C:\WINDOWS\system32\Cache\AMEX_54.exe
    C:\WINDOWS\system32\Cache\Kyongju.exe
    C:\WINDOWS\system32\Cache\mswinstall.exe
    C:\WINDOWS\system32\Cache\runsearch.exe
    C:\WINDOWS\system32\Cache\setup1015.exe
    C:\WINDOWS\system32\Cache\skh2.exe
    C:\WINDOWS\system32\Cache\ucmoreiex.exe
    C:\WINDOWS\system32\Cache\VCMnet7 updated 030905.exe
    C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe
    C:\WINDOWS\system32\Cache\wrapperouter.exe
    C:\WINDOWS\system32\Free LapTop Computer.ico
    C:\WINDOWS\system32\hozvpqwlc_navps.dat
    C:\WINDOWS\system32\ide21201.vxd
    C:\WINDOWS\system32\Inkline Global PC tuneup.ico
    C:\WINDOWS\system32\InstallerV4.exe
    C:\WINDOWS\system32\iphi32.exe
    C:\WINDOWS\system32\msodae.dll
    C:\WINDOWS\system32\nssA6.dll
    C:\WINDOWS\system32\rtneg.dll
    C:\WINDOWS\system32\saie.log
    C:\WINDOWS\system32\stlb2.xml
    C:\WINDOWS\system32\tsuninst.exe
    C:\WINDOWS\system32\winupdt.008
    C:\WINDOWS\system32\__delete_on_reboot__fkrml.dll
    C:\WINDOWS\ttext.dll
    C:\WINDOWS\ucmoreiex.exe
    C:\WINDOWS\unist2.exe
    C:\WINDOWS\unstall.exe
    C:\WINDOWS\usta32.ini
    C:\WINDOWS\VCMnet11.exe
    C:\WINDOWS\weirdontheweb_topc.exe
    C:\WINDOWS\wkhhqopc.dll
    C:\WINDOWS\zrjtivwa.dll
    C:\winstall.exe

  • Delete these folders.

    C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\TopText iLookup
    C:\Documents and Settings\RADIOSHACK6343\Start Menu\Programs\UCmore - The Search Accelerator
    C:\Program Files\Aprps
    C:\Program Files\Ftk
    C:\Program Files\FwBarTemp
    C:\Program Files\Media Pass
    C:\Program Files\tvs
    C:\Program Files\vcy1nd6a
    C:\Program Files\whInstall
    C:\Program Files\Common Files\fzzk
    C:\WINDOWS\EliteToolBar


  • Delete everything from within this folder, but not the folder itself.

    C:\winnt\temp



  • Next run CWShredder, making sure to click "Fix".


  • Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido


  • Finally run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log, the Ewido log, and the log from About Buster.
* If the Ewido log is too large to post please attach it to your next reply so that I can still review it.
  • 0

#9
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:32:15 PM, 11/24/2005
+ Report-Checksum: B3C4C49F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
[160] C:\WINDOWS\System32\fkrml.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
C:\Documents and Settings\Jay\Cookies\jay@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@e-2dj6wjmioicpwdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Jay\Cookies\jay@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@counter9.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Cookies\jay@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Internet Files\Content.IE5\0T4X2FCX\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\RADIOSHACK6343\gogotools.exe/SilentInstallW32.exe -> Spyware.GogoTools : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\RECYCLER\S-1-5-21-2387590086-284587905-4097411637-1008\Dc570.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-2387590086-284587905-4097411637-1008\Dc570.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup


::Report End
  • 0

#10
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:44:14 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\netrl32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\crhy32.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zyduj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Class - {16C8ED8F-9FBB-BE03-83E5-EF1C71227B4C} - C:\WINDOWS\ntli32.dll
O2 - BHO: Class - {775E7EE2-3A20-6839-8BF8-42DB066E09CE} - C:\WINDOWS\system32\mfctk32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [crhy32.exe] C:\WINDOWS\crhy32.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104451058202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128303306358
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netrl32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

Advertisements


#11
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
About Buster didnt work
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
In what way didn't it work?
  • 0

#13
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
it say that the program has missing componets
  • 0

#14
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
nevermind its working now its scannin i will post the scan when its complete
  • 0

#15
jaimen

jaimen

    banned

  • Topic Starter
  • Banned
  • PipPip
  • 84 posts
im apologies its not workin i open the program then is said update or begin removal i dont know whtat to do
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP