Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I've been hijacked! Winfixer? [CLOSED]

Started by doublespace , Nov 10 2005 04:06 PM

  • This topic is locked This topic is locked

#1
doublespace
Posted 10 November 2005 - 04:06 PM

doublespace

    New Member

  • Member
  • Pip
  • 2 posts
here's my hijack logs

Logfile of HijackThis v1.99.1
Scan saved at 2:01:45 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG6\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG6\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~1\Grisoft\AVG6\avgcc.exe
F:\PROGRA~1\Grisoft\AVG6\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
E:\Program Files\itunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\program files\valve\steam\steam.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Pictures\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
E:\hijack logs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\jkhfe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG6\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG6\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] E:\PROGRA~1\Dell\mimboot.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "e:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Pictures\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131659466328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bakbone.webe...bex/ieatgpc.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax2918.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG6\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG6\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
John_L
Posted 10 November 2005 - 04:33 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello doublespace and welcome to Geeks To Go :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
When this is done show me the spysweeper log and a new hijack log please. :)
  • 0

#3
doublespace
Posted 10 November 2005 - 05:24 PM

doublespace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
here is the spy sweeper log

2:41 PM: | Start of Session, Thursday, November 10, 2005 |
2:41 PM: Spy Sweeper started
2:41 PM: Sweep initiated using definitions version 571
2:41 PM: Starting Memory Sweep
2:41 PM: Found Adware: virtumonde
2:41 PM: Detected running threat: C:\WINDOWS\system32\jkhfe.dll (ID = 77)
2:41 PM: Detected running threat: C:\WINDOWS\system32\sstqo.dll (ID = 77)
2:43 PM: Memory Sweep Complete, Elapsed Time: 00:02:11
2:43 PM: Starting Registry Sweep
2:43 PM: Found Adware: abcsearch
2:43 PM: HKCR\bman.bmanager\ (3 subtraces) (ID = 102391)
2:43 PM: HKCR\bman.ciexplorer\ (3 subtraces) (ID = 102392)
2:43 PM: HKLM\software\classes\bman.bmanager\ (3 subtraces) (ID = 102399)
2:43 PM: HKLM\software\classes\bman.ciexplorer\ (3 subtraces) (ID = 102400)
2:43 PM: HKLM\software\classes\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\ (9 subtraces) (ID = 102408)
2:43 PM: HKCR\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\ (9 subtraces) (ID = 102413)
2:43 PM: HKCR\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\1.2\helpdir\ (1 subtraces) (ID = 102414)
2:43 PM: Found Adware: elitebar
2:43 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
2:43 PM: Found Adware: directrevenue-abetterinternet
2:43 PM: HKU\.default\software\ceres\ (26 subtraces) (ID = 145764)
2:43 PM: Found Adware: dealhelper
2:43 PM: HKLM\software\ddate\ (1 subtraces) (ID = 636618)
2:43 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
2:43 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
2:43 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
2:43 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
2:43 PM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954591)
2:43 PM: HKLM\software\classes\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954593)
2:43 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (ID = 954595)
2:43 PM: Found Adware: clearsearch
2:43 PM: HKU\WRSS_Profile_S-1-5-21-1960408961-1788223648-839522115-1004\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
2:43 PM: Found Adware: drsnsrch.com hijack
2:43 PM: HKU\S-1-5-21-1960408961-1788223648-839522115-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
2:43 PM: Found Trojan Horse: trojan-downloader-pacisoft
2:43 PM: HKU\S-1-5-21-1960408961-1788223648-839522115-1003\software\pacisoft\ (15 subtraces) (ID = 136528)
2:43 PM: Found Adware: begin2search
2:43 PM: HKU\S-1-5-21-1960408961-1788223648-839522115-1003\software\_rtneg2\ (3610 subtraces) (ID = 639270)
2:43 PM: Found Adware: ieplugin
2:43 PM: HKU\S-1-5-18\software\intexp\ (11 subtraces) (ID = 128173)
2:43 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
2:43 PM: HKU\S-1-5-18\software\ceres\ (26 subtraces) (ID = 145851)
2:43 PM: Registry Sweep Complete, Elapsed Time:00:00:10
2:43 PM: Starting Cookie Sweep
2:43 PM: Found Spy Cookie: 2o7.net cookie
2:43 PM: [email protected][1].txt (ID = 1958)
2:43 PM: [email protected][1].txt (ID = 1958)
2:43 PM: Found Spy Cookie: realmedia cookie
2:43 PM: mike@realmedia[1].txt (ID = 3235)
2:43 PM: Found Spy Cookie: server.iad.liveperson cookie
2:43 PM: [email protected][1].txt (ID = 3341)
2:43 PM: Found Spy Cookie: reliablestats cookie
2:43 PM: [email protected][1].txt (ID = 3254)
2:43 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:43 PM: Starting File Sweep
2:43 PM: c:\windows\system32\cache32_rtneg2 (2 subtraces) (ID = -2147481388)
2:43 PM: Found Adware: 180search assistant/zango
2:43 PM: c:\windows\system32\fleok (ID = -2147480556)
2:43 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
2:43 PM: 31f9a191-b57f-4190-85db-a90945 (ID = 80733)
2:44 PM: 13adf5fe-7dad-4533-8b04-172ad6 (ID = 80731)
2:44 PM: Found Adware: isearch desktop search
2:44 PM: 63ecc727-7b9e-4130-b4c3-bfd3b1 (ID = 64335)
2:44 PM: 6112e885-76f8-427b-8c5e-e491a2 (ID = 83539)
2:44 PM: Found Adware: bookedspace
2:44 PM: 44292c89-d08d-4cfb-b128-9c6953 (ID = 80273)
2:44 PM: b78f9724-74f3-4786-ac2a-c648c1 (ID = 80272)
2:44 PM: 511116.dat (ID = 52539)
2:44 PM: kwv2.dat (ID = 63356)
2:44 PM: Found Adware: adlogix
2:44 PM: 609d826b-f090-455c-a9b0-14ec04 (ID = 49184)
2:44 PM: 64ce8b7f-d791-436b-8a9a-e5744d (ID = 49225)
2:45 PM: Found Adware: virtualbouncer
2:45 PM: 225b5822-0333-4829-9d56-2cf9fc (ID = 82771)
2:45 PM: da8191da-cf1f-4787-b555-c0b46b (ID = 51062)
2:46 PM: 2c5bf9b5-ce66-4e1f-8795-0f086b (ID = 82854)
2:47 PM: Found Adware: websearch toolbar
2:47 PM: 9f6a2b38-77cb-4c88-b16a-bb4b15 (ID = 86323)
2:47 PM: uninstall.exe (ID = 49258)
2:47 PM: 11461078.bin (ID = 52519)
2:47 PM: 54131430.txt (ID = 52529)
2:47 PM: Found Adware: daosearch
2:47 PM: 34682956.dat (ID = 57421)
2:47 PM: 40838520.txt (ID = 52544)
2:47 PM: 14836214.dat (ID = 52532)
2:47 PM: 70680039.bin (ID = 57424)
2:48 PM: Found Adware: ebates money maker
2:48 PM: mmaker4b.exe (ID = 59685)
2:48 PM: mmaker4b.exe (ID = 59685)
2:48 PM: 7cf74082-f367-4c5f-b387-2bc3d6 (ID = 85847)
2:49 PM: c0ef35ae-c398-4c03-a61e-0ebac2 (ID = 86359)
2:49 PM: farmmext.ini (ID = 83282)
2:49 PM: a9c07ad5-37de-48c5-9930-2f1a73 (ID = 70624)
2:49 PM: 71924417.dat (ID = 52512)
2:49 PM: 85379429.dat (ID = 57422)
2:49 PM: 2442472.bin (ID = 52531)
2:49 PM: 91657220.bin (ID = 52517)
2:49 PM: 4350422.bin (ID = 52523)
2:49 PM: 97941727.dat (ID = 52536)
2:49 PM: 68703096.txt (ID = 52520)
2:49 PM: 62121020.dat (ID = 57426)
2:49 PM: 31614462.bin (ID = 57423)
2:49 PM: 44444188.dat (ID = 52541)
2:54 PM: Found Adware: altnet
2:54 PM: adm4.dll (ID = 49779)
2:55 PM: admdata.dll (ID = 49784)
2:55 PM: mysearch.cab (ID = 49849)
2:55 PM: admprog.dll (ID = 49790)
2:56 PM: Found Adware: bullguard popup ad
2:56 PM: bulldownload.exe (ID = 52017)
2:56 PM: Found Adware: tvmedia
2:56 PM: tvmknwrd.dll (ID = 81726)
2:58 PM: Found Adware: blazefind
2:58 PM: bridge.inf (ID = 51438)
2:58 PM: Found Adware: twain-tech
2:58 PM: mxtini.inf (ID = 81846)
2:58 PM: twaintec.inf (ID = 81888)
2:58 PM: alchem.inf (ID = 83109)
2:58 PM: Found Adware: isearch toolbar
2:58 PM: initial.inf (ID = 64361)
2:58 PM: Found Adware: mindset interactive - favoriteman
2:58 PM: atpartners.inf (ID = 69817)
3:04 PM: Warning: Invalid file - not a PKZip file
3:04 PM: Warning: Invalid Stream
3:04 PM: Warning: Unhandled Archive Type
3:05 PM: Warning: Unhandled Archive Type
3:05 PM: Warning: Invalid file - not a PKZip file
3:06 PM: File Sweep Complete, Elapsed Time: 00:22:21
3:06 PM: Full Sweep has completed. Elapsed time 00:24:46
3:06 PM: Traces Found: 3844
3:07 PM: Removal process initiated
3:08 PM: Quarantining All Traces: 180search assistant/zango
3:08 PM: Quarantining All Traces: adlogix
3:08 PM: Quarantining All Traces: clearsearch
3:08 PM: Quarantining All Traces: daosearch
3:08 PM: Quarantining All Traces: directrevenue-abetterinternet
3:08 PM: Quarantining All Traces: elitebar
3:08 PM: Quarantining All Traces: isearch desktop search
3:08 PM: Quarantining All Traces: virtumonde
3:08 PM: virtumonde is in use. It will be removed on reboot.
3:08 PM: C:\WINDOWS\system32\jkhfe.dll is in use. It will be removed on reboot.
3:08 PM: C:\WINDOWS\system32\sstqo.dll is in use. It will be removed on reboot.
3:08 PM: Quarantining All Traces: websearch toolbar
3:08 PM: Quarantining All Traces: begin2search
3:08 PM: Quarantining All Traces: blazefind
3:08 PM: Quarantining All Traces: trojan-downloader-mainstreamdollars
3:08 PM: Quarantining All Traces: trojan-downloader-pacisoft
3:08 PM: Quarantining All Traces: abcsearch
3:08 PM: Quarantining All Traces: altnet
3:08 PM: Quarantining All Traces: bookedspace
3:08 PM: Quarantining All Traces: bullguard popup ad
3:08 PM: Quarantining All Traces: dealhelper
3:08 PM: Quarantining All Traces: drsnsrch.com hijack
3:08 PM: Quarantining All Traces: ebates money maker
3:08 PM: Quarantining All Traces: ieplugin
3:08 PM: Quarantining All Traces: isearch toolbar
3:08 PM: Quarantining All Traces: mindset interactive - favoriteman
3:08 PM: Quarantining All Traces: tvmedia
3:08 PM: Quarantining All Traces: twain-tech
3:08 PM: Quarantining All Traces: virtualbouncer
3:08 PM: Quarantining All Traces: 2o7.net cookie
3:08 PM: Quarantining All Traces: realmedia cookie
3:08 PM: Quarantining All Traces: reliablestats cookie
3:08 PM: Quarantining All Traces: server.iad.liveperson cookie
3:09 PM: Warning: Launched explorer.exe
3:09 PM: Warning: Quarantine process could not restart Explorer.
********
2:36 PM: | Start of Session, Thursday, November 10, 2005 |
2:36 PM: Spy Sweeper started
2:37 PM: Your spyware definitions have been updated.
2:41 PM: | End of Session, Thursday, November 10, 2005 |



here is the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 3:21:04 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG6\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG6\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~1\Grisoft\AVG6\avgcc.exe
F:\PROGRA~1\Grisoft\AVG6\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
E:\Program Files\itunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\program files\valve\steam\steam.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Pictures\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
E:\hijack logs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG6\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG6\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] E:\PROGRA~1\Dell\mimboot.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Steam] "e:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Pictures\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131659466328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bakbone.webe...bex/ieatgpc.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax2918.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG6\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG6\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#4
John_L
Posted 10 November 2005 - 06:42 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again :tazz:

Please go into add/remove progrms and remove spysweeper its just a 14 day trial.

Then we have to disable your microsoft antispyware as it messes up hijack fixes.

Open Microsoft AntiSpyware.
  • Click on Tools, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
  • We will re-enable it once we're done.
After that fire up hijack this, press scan only and place checks next to these.

O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bakbone.webe...bex/ieatgpc.cab
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll (file missing)

Close all browsers and click fix on hijack this.

Reboot and show me a new log please. :)
  • 0

#5
John_L
Posted 17 November 2005 - 07:14 AM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP