Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help me with my hijack this log -thank you [RESOLVED]

Started by greneyz , Feb 09 2006 11:26 PM

  • This topic is locked This topic is locked

#1
greneyz
Posted 09 February 2006 - 11:26 PM

greneyz

    New Member

  • Member
  • Pip
  • 6 posts
Below is my log..... I am ultimately trying to get rid of an annoying "best offers" pop up add. Thank you for any help you may be.


Logfile of HijackThis v1.99.1
Scan saved at 9:19:10 PM, on 2/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TBONBin\tbon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\Q1WPE34T\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...px?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.imail.gkb...com/iNotes6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126923136633
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://www.imail.gkbaum.com/dwa7W.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements

#2
loophole
Posted 12 February 2006 - 02:09 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
Cookiegal
Posted 12 February 2006 - 02:10 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Hi and welcome to Geeks to Go!

Before we please move HijackThis out of the Temporary files and into a separate folder of its own in program files, so that it can function properly and create back-ups which can be restored, if necessary and then post a new log.
  • 0

#4
Cookiegal
Posted 12 February 2006 - 02:12 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Sorry loophole, we both posted at the same time but you first. :tazz:
  • 0

#5
greneyz
Posted 15 February 2006 - 05:53 PM

greneyz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is my new hijack this log, per your request. Please let me know what I need to do to get rid of the "Best Offers" pop up add. Thank you for any help you may be.

Logfile of HijackThis v1.99.1
Scan saved at 3:51:09 PM, on 2/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TBONBin\tbon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...px?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.imail.gkb...com/iNotes6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126923136633
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://www.imail.gkbaum.com/dwa7W.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
  • 0

#6
loophole
Posted 16 February 2006 - 04:18 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi greneyz :tazz:

1. Please DELETE your current HJT program from its present location.

2. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!




Please download ATF Cleaner by Atribune.Save it to the desktop
This program is for XP and Windows 2000 only


Hijack fixes

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...px?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll (file missing)
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

Now close all windows other than HiJackThis, then click Fix Checked


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Uninstall

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

BTLINK
Need2Find
altnet
TBONBin
INSTAFINDER

Folder deletions

Please delete the folders in red using Windows Explorer(if present):

C:\PROGRAM FILES\COMMON FILES\BTLINK
C:\Program Files\Need2Find\
C:\WINDOWS\system32\P2P Networking
c:\program files\altnet
C:\Program Files\TBONBin
C:\Program Files\INSTAFINDER


ATF CleanerDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu


Reboot


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
.

Edited by loophole, 16 February 2006 - 05:28 PM.

  • 0

#7
greneyz
Posted 16 February 2006 - 08:34 PM

greneyz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you for your reply and help. I have done exactly as you said and here is my scan report as you requested.


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 16, 2006 6:32:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 17/02/2006
Kaspersky Anti-Virus database records: 177086
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59482
Number of viruses found: 20
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 00:58:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\home\.housecall\Quarantine\adm4005.exe.bac_a00344 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Documents and Settings\home\.housecall\Quarantine\altnetuninstall.exe.bac_a00344 Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\Documents and Settings\home\.housecall\Quarantine\asm.exe.bac_a00344 Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\home\.housecall\Quarantine\asm.exe.bac_a01352 Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\home\.housecall\Quarantine\asmps.dll.bac_a00344 Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Documents and Settings\home\.housecall\Quarantine\asmps.dll.bac_a01352 Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Documents and Settings\home\.housecall\Quarantine\btiein.dll.bac_a00344 Infected: Trojan-Downloader.Win32.QDown.ad skipped
C:\Documents and Settings\home\.housecall\Quarantine\dmserver.exe.bac_a00344 Infected: not-a-virus:AdWare.Win32.Comet.a skipped
C:\Documents and Settings\home\.housecall\Quarantine\dmserver.exe.bac_a01352 Infected: not-a-virus:AdWare.Win32.Comet.a skipped
C:\Documents and Settings\home\.housecall\Quarantine\InstaFinderK_inst.exe.bac_a00344/stream Infected: not-a-virus:AdWare.Win32.404Search.h skipped
C:\Documents and Settings\home\.housecall\Quarantine\InstaFinderK_inst.exe.bac_a00344 NSIS: infected - 1 skipped
C:\Documents and Settings\home\.housecall\Quarantine\InstaFinderK_inst.exe.bac_a00344 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\home\.housecall\Quarantine\Points Manager.exe.bac_a00344 Infected: not-a-virus:AdWare.Win32.Altnet.h skipped
C:\Documents and Settings\home\.housecall\Quarantine\Points Manager.exe.bac_a01352 Infected: not-a-virus:AdWare.Win32.Altnet.h skipped
C:\Documents and Settings\home\.housecall\Quarantine\ScreensaversInst.dll.bac_a00344 Infected: not-a-virus:AdWare.Win32.Comet.c skipped
C:\Documents and Settings\home\.housecall\Quarantine\stoolbar.dll.bac_a00344 Infected: not-a-virus:AdWare.Win32.WebSearch.w skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\backups\backup-20060216-154749-398.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\backups\backup-20060216-154749-815.dll Infected: not-a-virus:AdWare.Win32.404Search.l skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\backups\backup-20060216-154750-449.dll Infected: not-a-virus:AdWare.Win32.Wintol.ap skipped
C:\Program Files\Altnet\Download Manager\adm25.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\adm4.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\admdloader.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\Program Files\Altnet\Download Manager\admfdi.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\Program Files\Altnet\Download Manager\admprog.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Program Files\Altnet\Download Manager\asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Program Files\Altnet\Points Manager\Points Manager.exe Infected: not-a-virus:AdWare.Win32.Altnet.h skipped
C:\Program Files\Altnet\Points Manager\sysdetect.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
C:\Program Files\Comet Systems\DM\bin\dmserver.exe Infected: not-a-virus:AdWare.Win32.Comet.a skipped
C:\Program Files\Kazaa\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1173\A0129981.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1173\A0130981.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1175\A0131006.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1185\A0131064.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1188\A0131092.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1191\A0131111.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1191\A0132111.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1192\A0132175.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1201\A0133168.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1208\A0133226.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1215\A0133265.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1215\A0133294.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1215\A0134294.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1224\A0134401.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1225\A0134416.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1234\A0134502.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1243\A0135502.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1243\A0136502.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1248\A0136555.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1248\A0136566.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136647.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136648.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136649.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136651.exe/stream Infected: not-a-virus:AdWare.Win32.404Search.h skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136651.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136652.dll Infected: Trojan-Downloader.Win32.QDown.ad skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136653.dll Infected: not-a-virus:AdWare.Win32.WebSearch.w skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1249\A0136658.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1253\A0136716.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1253\A0136727.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1253\A0136748.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136796.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136801.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136802.dll Infected: not-a-virus:AdWare.Win32.404Search.l skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136803.dll Infected: not-a-virus:AdWare.Win32.Wintol.ap skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136810.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136812.EXE Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136813.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136817.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1255\A0136818.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.o skipped

Scan process completed.
  • 0

#8
loophole
Posted 16 February 2006 - 09:56 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good :tazz:

Don't worry its not as bad as it looks.

Did you uninstall Altnet?

Please uninstall the following (click start >>>control panel >>> add/remove programs) If present

Altnet
Comet systems

Reboot and post a new Hijack log

Thanks
  • 0

#9
greneyz
Posted 16 February 2006 - 10:07 PM

greneyz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I didn't find Altnet or Comet Systems?

So I didn't remove anything?

But here's my new highjack this log. Thanks again for all of your help. Anything I can do to prevent all of this from happening again?

Logfile of HijackThis v1.99.1
Scan saved at 8:04:41 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\Q1WPE34T\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.imail.gkb...com/iNotes6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126923136633
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://www.imail.gkbaum.com/dwa7W.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
  • 0

#10
loophole
Posted 18 February 2006 - 05:47 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :tazz:

Rescan with hijack and check and fix the below item

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present



Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
.


Browse for and delete these folders (go to safemode if necessary)

C:\Program Files\Altnet
C:\Program Files\Comet Systems

It looks like you may have used Trend micro at one time. If you still use it you need to empty the quarantine out if not just delete the below folder

C:\Documents and Settings\home\.housecall\Quarantine\

reboot


Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

How is everything running?
  • 0

#11
greneyz
Posted 20 February 2006 - 03:27 PM

greneyz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did everything you recomended and so far all seems to be working ok. Do I need to do anything further with the post from the virus-scan program I did. It looked like I had alot of files infected? Please advise. Thank you with all you have done so far.
  • 0

#12
loophole
Posted 20 February 2006 - 05:44 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi greneyz

We should have gotten everything with the directions I gave. If you would like to double check you can rerun the scan and post the results. I will be more than happy to look at them :tazz:
  • 0

#13
greneyz
Posted 20 February 2006 - 06:50 PM

greneyz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did another virus scan and here is my report. Thanks again for double checking it. It looks like only 4 infected files this time.

KASPERSKY ON-LINE SCANNER REPORT
Monday, February 20, 2006 4:46:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/02/2006
Kaspersky Anti-Virus database records: 177759
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 56011
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:57:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\backups\backup-20060216-154749-398.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\backups\backup-20060216-154749-815.dll Infected: not-a-virus:AdWare.Win32.404Search.l skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\YZIJ2LM5\backups\backup-20060216-154750-449.dll Infected: not-a-virus:AdWare.Win32.Wintol.ap skipped
C:\Program Files\Kazaa\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped

Scan process completed.
  • 0

#14
loophole
Posted 20 February 2006 - 07:38 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi greneyz :)

I did miss one. You should uninstall Kazaa (if installed ) and delete the C:\Program Files\Kazaa folder

The rest are just backups from Hijack this and harmless.

Congratulations
your system is clean :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Anti virus- An anti-virus is a must, here are a few good free ones.Please never run more than one ant-virus at a time.

  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner (by Atribune) - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#15
loophole
Posted 03 March 2006 - 09:21 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP