Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My Hijackthis log [CLOSED]

Started by tuln02 , Dec 08 2005 01:08 AM

  • This topic is locked This topic is locked

#1
tuln02
Posted 08 December 2005 - 01:08 AM

tuln02

    New Member

  • Member
  • Pip
  • 4 posts
I think I have a myspace virus... please help thanks!

Logfile of HijackThis v1.99.1
Scan saved at 2:08:19 AM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\srvsc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\windows\adtech2006.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pgws.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\LimeWire\LimeWire 4.2.3\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iub.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0g640iv8.dll] RUNDLL32.EXE 0g640iv8.dll,b 185640109
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: srvss safe (srvss) - Unknown owner - C:\WINDOWS\srvsc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements

#2
Antartic-Boy
Posted 13 December 2005 - 11:38 AM

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
Hi tuln02, and welcome to Geeks to Go.

I'm currently analyzing your log, and will post instructions to start with the clean up soon :tazz: .
  • 0

#3
Antartic-Boy
Posted 13 December 2005 - 02:08 PM

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
-----------------------1

You have a CoolWebSearch infection.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

-----------------------2

Now please start services.msc (go to Start -> Run -> Type in Services.msc -> Click OK) scroll down and find srvss safe, right click on it and select Stop, now right-click on it, then Properties and change Startup type to Disabled, now click OK and close services.msc.
  • After this please reopen HJT.
  • Click on 'Config'.
  • Now click on 'Mics Tools'.
  • Click on 'Delete an NT service'.
  • Type in srvss and click 'OK'.
  • Now close HJT.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0g640iv8.dll] RUNDLL32.EXE 0g640iv8.dll,b 185640109
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe (file missing)

Now close all windows and browsers other than HiJackThis, then click Fix Checked.
Close HijackThis.

-----------------------3

Now please unhide hidden files and folders:

1.Click Start.
2.Open My Computer.
3.Select the Tools menu and click Folder Options.
4.Select the View Tab.
5.Under the Hidden files and folders heading select Show hidden files and folders.
6.Uncheck the Hide protected operating system files (recommended) option.
7.Click Yes to confirm.
8.Click OK.

Now please save these instructions in notepad for use in Safe Mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

When Windows is started please remove this program from "Add/Remove programs" (if present):
To run Add/Remove programs please go to Start -> "Control Panel" -> "Add/Remove programs"

Quick Links

Now please delete these files & folders using Microsoft explorer (if present):
To run Microsoft explorer please go to Start -> Run -> type in explorer -> click on OK button

C:\Program Files\QL\
C:\windows\timessquare.exe
C:\windows\adtech2006.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\gebcd.dll

Restart in normal mode..

-----------------------4

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
    To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Click Browser Add-Ons and uncheck all items.
  • Exit Spysweeper.
-----------------------5

Now please follow these instructions:
  • Run this online virus scan: ActiveScan
  • Copy the results of the ActiveScan and results of SpySweeper and paste them here along with a new HiJackThis log.

  • 0

#4
tuln02
Posted 13 December 2005 - 10:55 PM

tuln02

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hey thanks for the help!

This was for the "myspace" problem.

Results of Spysweeper:

********
6:22 PM: | Start of Session, Tuesday, December 13, 2005 |
6:22 PM: Spy Sweeper started
6:22 PM: Sweep initiated using definitions version 584
6:22 PM: Starting Memory Sweep
6:26 PM: Memory Sweep Complete, Elapsed Time: 00:03:40
6:26 PM: Starting Registry Sweep
6:26 PM: Found Trojan Horse: trojan-backdoor-soundcheck
6:26 PM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
6:26 PM: Found Adware: findthewebsiteyouneed hijacker
6:26 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
6:26 PM: Found Adware: dollarrevenue
6:26 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
6:26 PM: Found Adware: command
6:26 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
6:26 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
6:26 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
6:26 PM: HKU\S-1-5-21-222497460-1698307082-2341012792-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
6:26 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
6:26 PM: Registry Sweep Complete, Elapsed Time:00:00:16
6:26 PM: Starting Cookie Sweep
6:26 PM: Found Spy Cookie: 2o7.net cookie
6:26 PM: [email protected][1].txt (ID = 1958)
6:26 PM: Found Spy Cookie: 247realmedia cookie
6:26 PM: user@247realmedia[2].txt (ID = 1953)
6:26 PM: user@2o7[2].txt (ID = 1957)
6:26 PM: Found Spy Cookie: tribalfusion cookie
6:26 PM: [email protected][1].txt (ID = 3590)
6:26 PM: Found Spy Cookie: websponsors cookie
6:26 PM: [email protected][1].txt (ID = 3665)
6:26 PM: Found Spy Cookie: abcsearch cookie
6:26 PM: user@abcsearch[1].txt (ID = 2033)
6:26 PM: Found Spy Cookie: about cookie
6:26 PM: user@about[2].txt (ID = 2037)
6:26 PM: Found Spy Cookie: yieldmanager cookie
6:26 PM: [email protected][1].txt (ID = 3751)
6:26 PM: Found Spy Cookie: adecn cookie
6:26 PM: user@adecn[1].txt (ID = 2063)
6:26 PM: Found Spy Cookie: adknowledge cookie
6:26 PM: user@adknowledge[2].txt (ID = 2072)
6:26 PM: Found Spy Cookie: adlegend cookie
6:26 PM: user@adlegend[2].txt (ID = 2074)
6:26 PM: Found Spy Cookie: hbmediapro cookie
6:26 PM: [email protected][2].txt (ID = 2768)
6:26 PM: Found Spy Cookie: specificclick.com cookie
6:26 PM: [email protected][2].txt (ID = 3400)
6:26 PM: Found Spy Cookie: adrevolver cookie
6:26 PM: user@adrevolver[1].txt (ID = 2088)
6:26 PM: user@adrevolver[2].txt (ID = 2088)
6:26 PM: Found Spy Cookie: addynamix cookie
6:26 PM: [email protected][2].txt (ID = 2062)
6:26 PM: Found Spy Cookie: cc214142 cookie
6:26 PM: [email protected][1].txt (ID = 2367)
6:26 PM: Found Spy Cookie: pointroll cookie
6:26 PM: [email protected][2].txt (ID = 3148)
6:26 PM: Found Spy Cookie: advertising cookie
6:26 PM: user@advertising[1].txt (ID = 2175)
6:26 PM: Found Spy Cookie: adviva cookie
6:26 PM: user@adviva[2].txt (ID = 2177)
6:26 PM: Found Spy Cookie: apmebf cookie
6:26 PM: user@apmebf[1].txt (ID = 2229)
6:26 PM: Found Spy Cookie: falkag cookie
6:26 PM: [email protected][1].txt (ID = 2650)
6:26 PM: [email protected][2].txt (ID = 2650)
6:26 PM: Found Spy Cookie: ask cookie
6:26 PM: user@ask[1].txt (ID = 2245)
6:26 PM: Found Spy Cookie: atlas dmt cookie
6:26 PM: user@atdmt[2].txt (ID = 2253)
6:26 PM: Found Spy Cookie: belnk cookie
6:26 PM: [email protected][2].txt (ID = 2293)
6:26 PM: Found Spy Cookie: atwola cookie
6:26 PM: user@atwola[1].txt (ID = 2255)
6:26 PM: Found Spy Cookie: banner cookie
6:26 PM: user@banner[1].txt (ID = 2276)
6:26 PM: user@belnk[2].txt (ID = 2292)
6:26 PM: Found Spy Cookie: bluestreak cookie
6:26 PM: user@bluestreak[1].txt (ID = 2314)
6:26 PM: Found Spy Cookie: bravenet cookie
6:26 PM: user@bravenet[2].txt (ID = 2322)
6:26 PM: Found Spy Cookie: bs.serving-sys cookie
6:26 PM: [email protected][1].txt (ID = 2330)
6:26 PM: Found Spy Cookie: burstnet cookie
6:26 PM: user@burstnet[2].txt (ID = 2336)
6:26 PM: Found Spy Cookie: zedo cookie
6:26 PM: [email protected][1].txt (ID = 3763)
6:26 PM: [email protected][2].txt (ID = 3763)
6:26 PM: Found Spy Cookie: casalemedia cookie
6:26 PM: user@casalemedia[2].txt (ID = 2354)
6:26 PM: Found Spy Cookie: centrport net cookie
6:26 PM: user@centrport[1].txt (ID = 2374)
6:26 PM: Found Spy Cookie: clickbank cookie
6:26 PM: user@clickbank[2].txt (ID = 2398)
6:26 PM: Found Spy Cookie: hitslink cookie
6:26 PM: [email protected][1].txt (ID = 2790)
6:26 PM: Found Spy Cookie: coremetrics cookie
6:26 PM: [email protected][1].txt (ID = 2472)
6:26 PM: [email protected][2].txt (ID = 2293)
6:26 PM: Found Spy Cookie: ru4 cookie
6:26 PM: [email protected][2].txt (ID = 3269)
6:26 PM: [email protected][1].txt (ID = 1958)
6:26 PM: Found Spy Cookie: go.com cookie
6:26 PM: [email protected][1].txt (ID = 2729)
6:26 PM: Found Spy Cookie: exitexchange cookie
6:26 PM: user@exitexchange[2].txt (ID = 2633)
6:26 PM: [email protected][1].txt (ID = 2038)
6:26 PM: Found Spy Cookie: fastclick cookie
6:26 PM: user@fastclick[2].txt (ID = 2651)
6:26 PM: Found Spy Cookie: findwhat cookie
6:26 PM: user@findwhat[1].txt (ID = 2674)
6:26 PM: [email protected][1].txt (ID = 2038)
6:26 PM: user@go[2].txt (ID = 2728)
6:26 PM: Found Spy Cookie: clickandtrack cookie
6:26 PM: [email protected][2].txt (ID = 2397)
6:26 PM: Found Spy Cookie: screensavers.com cookie
6:26 PM: [email protected][2].txt (ID = 3298)
6:26 PM: Found Spy Cookie: infiads cookie
6:26 PM: user@infiads[1].txt (ID = 5269)
6:26 PM: Found Spy Cookie: sb01 cookie
6:26 PM: [email protected][1].txt (ID = 3288)
6:26 PM: Found Spy Cookie: netster cookie
6:26 PM: [email protected][1].txt (ID = 3072)
6:26 PM: [email protected][1].txt (ID = 1958)
6:26 PM: Found Spy Cookie: maxserving cookie
6:26 PM: user@maxserving[2].txt (ID = 2966)
6:26 PM: [email protected][1].txt (ID = 2652)
6:26 PM: [email protected][1].txt (ID = 1958)
6:26 PM: Found Spy Cookie: nextag cookie
6:26 PM: user@nextag[2].txt (ID = 5014)
6:26 PM: Found Spy Cookie: overture cookie
6:26 PM: user@overture[1].txt (ID = 3105)
6:26 PM: [email protected][1].txt (ID = 3106)
6:26 PM: Found Spy Cookie: pro-market cookie
6:26 PM: user@pro-market[2].txt (ID = 3197)
6:26 PM: Found Spy Cookie: qksrv cookie
6:26 PM: user@qksrv[1].txt (ID = 3213)
6:26 PM: Found Spy Cookie: questionmarket cookie
6:26 PM: user@questionmarket[1].txt (ID = 3217)
6:26 PM: Found Spy Cookie: realmedia cookie
6:26 PM: user@realmedia[2].txt (ID = 3235)
6:26 PM: Found Spy Cookie: revenue.net cookie
6:26 PM: user@revenue[2].txt (ID = 3257)
6:26 PM: [email protected][1].txt (ID = 2729)
6:26 PM: Found Spy Cookie: serving-sys cookie
6:26 PM: user@serving-sys[2].txt (ID = 3343)
6:26 PM: [email protected][1].txt (ID = 2729)
6:26 PM: Found Spy Cookie: starware.com cookie
6:26 PM: user@starware[2].txt (ID = 3441)
6:26 PM: Found Spy Cookie: statcounter cookie
6:26 PM: user@statcounter[1].txt (ID = 3447)
6:26 PM: Found Spy Cookie: webtrendslive cookie
6:26 PM: [email protected][1].txt (ID = 3667)
6:26 PM: Found Spy Cookie: stlyrics cookie
6:26 PM: user@stlyrics[1].txt (ID = 3461)
6:26 PM: Found Spy Cookie: targetnet cookie
6:26 PM: user@targetnet[2].txt (ID = 3489)
6:26 PM: Found Spy Cookie: tradedoubler cookie
6:26 PM: user@tradedoubler[2].txt (ID = 3575)
6:26 PM: Found Spy Cookie: trafficmp cookie
6:26 PM: user@trafficmp[2].txt (ID = 3581)
6:26 PM: user@tribalfusion[2].txt (ID = 3589)
6:26 PM: [email protected][1].txt (ID = 2472)
6:26 PM: Found Spy Cookie: valuead cookie
6:26 PM: user@valuead[2].txt (ID = 3626)
6:26 PM: Found Spy Cookie: videodome cookie
6:26 PM: user@videodome[1].txt (ID = 3638)
6:26 PM: Found Spy Cookie: realtracker cookie
6:26 PM: [email protected][2].txt (ID = 3242)
6:26 PM: Found Spy Cookie: burstbeacon cookie
6:26 PM: [email protected][2].txt (ID = 2335)
6:26 PM: Found Spy Cookie: findthewebsiteyouneed cookie
6:26 PM: [email protected][2].txt (ID = 2673)
6:26 PM: [email protected][2].txt (ID = 5268)
6:26 PM: [email protected][1].txt (ID = 5015)
6:26 PM: [email protected][1].txt (ID = 3298)
6:26 PM: [email protected][1].txt (ID = 3462)
6:26 PM: user@yieldmanager[1].txt (ID = 3749)
6:26 PM: Found Spy Cookie: adserver cookie
6:26 PM: [email protected][1].txt (ID = 2142)
6:26 PM: user@zedo[2].txt (ID = 3762)
6:26 PM: [email protected][2].txt (ID = 3751)
6:26 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
6:26 PM: Starting File Sweep
6:27 PM: Warning: Failed to open file "c:\system volume information\_restore{0c1d1238-a1ef-43ea-9acf-9240ddba7386}\rp202\a0028292.dll". Access is denied
6:27 PM: Found Adware: wfgtech
6:27 PM: ltndmain[1].dll (ID = 203553)
6:28 PM: mte3ndi6odoxng[1].exe (ID = 185985)
6:28 PM: Found Adware: quicklink search toolbar
6:28 PM: a0031634.dll (ID = 200308)
6:28 PM: Found Adware: apropos
6:28 PM: contextplus[1].exe (ID = 203610)
6:28 PM: ltndload[1].dll (ID = 203552)
6:29 PM: Found Adware: targetsaver
6:29 PM: kquqc.dll (ID = 195129)
6:29 PM: Found Adware: linkmaker
6:29 PM: inrh9400[1].exe (ID = 200300)
6:29 PM: Found Adware: hotsearchbar toolbar
6:29 PM: 6cb84992-a038-458b-bccb-12df2e (ID = 62506)
6:29 PM: a0031863.dll (ID = 200308)
6:32 PM: tx[1].exe (ID = 199283)
6:34 PM: a0031807.dll (ID = 203553)
6:35 PM: a0031772.exe (ID = 195131)
6:35 PM: inst_0004[1].exe (ID = 203674)
6:35 PM: f3d2c1.tmp (ID = 200301)
6:35 PM: backup-20051213-175146-935.dll (ID = 200308)
6:35 PM: a0031922.dll (ID = 200308)
6:35 PM: a0031664.dll (ID = 200308)
6:35 PM: a0031680.dll (ID = 200308)
6:36 PM: a0031710.dll (ID = 200308)
6:36 PM: a0031774.dll (ID = 200308)
6:36 PM: fd427932-9ae8-4334-bf71-d1a33e (ID = 200308)
6:36 PM: a0031801.exe (ID = 199283)
6:36 PM: a0032018.dll (ID = 200308)
6:37 PM: atmtd.dll (ID = 166754)
6:38 PM: drsmartload[1].exe (ID = 203611)
6:38 PM: installer[1].exe (ID = 185986)
6:38 PM: timessquare[1].exe (ID = 194150)
6:39 PM: cmdinst.exe (ID = 185986)
6:39 PM: stub_113_4_0_4_0[1].exe (ID = 193995)
6:40 PM: 9400[1].cab (ID = 200301)
6:40 PM: atmtd.dll._ (ID = 166754)
6:41 PM: a0032019.exe (ID = 200311)
6:42 PM: vocabulary (ID = 78283)
6:43 PM: a0032020.exe (ID = 200314)
6:43 PM: 0g640iv8.dll (ID = 203552)
6:43 PM: dc122.exe (ID = 200309)
6:43 PM: inst_0004.exe (ID = 203674)
6:43 PM: tsupdate2[1].ini (ID = 193498)
6:43 PM: timessquare.exe (ID = 194150)
6:43 PM: kquql.exe (ID = 195130)
6:43 PM: stub_113_4_0_4_0.exe (ID = 193995)
6:43 PM: kquqa.exe (ID = 195128)
6:43 PM: Found Trojan Horse: trojan-downloader-conhook
6:43 PM: vtsqn.dll (ID = 164156)
6:43 PM: drsmartload1.exe (ID = 203611)
6:43 PM: mte3ndi6odoxng.exe (ID = 185985)
6:43 PM: kquqp.exe (ID = 195132)
6:44 PM: inrh9400.exe (ID = 200300)
6:44 PM: contextplus.exe (ID = 203610)
6:45 PM: a0031993.dll (ID = 200308)
6:45 PM: class-barrel (ID = 78229)
6:45 PM: e017150d-9b30-41d2-8bab-afbab8 (ID = 144945)
6:45 PM: 6fe6b340-404c-4c97-b52b-fc7940 (ID = 144946)
6:47 PM: a0031773.vbs (ID = 185675)
6:47 PM: donotdelete[1].htm (ID = 198788)
6:47 PM: drsmartload.dat (ID = 198788)
6:47 PM: Warning: Unhandled Archive Type
6:47 PM: Warning: File not found
6:48 PM: File Sweep Complete, Elapsed Time: 00:22:08
6:48 PM: Full Sweep has completed. Elapsed time 00:26:17
6:48 PM: Traces Found: 189
6:49 PM: Removal process initiated
6:49 PM: Quarantining All Traces: apropos
6:49 PM: Quarantining All Traces: trojan-backdoor-soundcheck
6:49 PM: Quarantining All Traces: trojan-downloader-conhook
6:49 PM: Quarantining All Traces: command
6:49 PM: Quarantining All Traces: dollarrevenue
6:49 PM: Quarantining All Traces: findthewebsiteyouneed hijacker
6:49 PM: Quarantining All Traces: hotsearchbar toolbar
6:49 PM: Quarantining All Traces: linkmaker
6:49 PM: Quarantining All Traces: quicklink search toolbar
6:49 PM: Quarantining All Traces: targetsaver
6:50 PM: Quarantining All Traces: wfgtech
6:50 PM: Quarantining All Traces: 247realmedia cookie
6:50 PM: Quarantining All Traces: 2o7.net cookie
6:50 PM: Quarantining All Traces: abcsearch cookie
6:50 PM: Quarantining All Traces: about cookie
6:50 PM: Quarantining All Traces: addynamix cookie
6:50 PM: Quarantining All Traces: adecn cookie
6:50 PM: Quarantining All Traces: adknowledge cookie
6:50 PM: Quarantining All Traces: adlegend cookie
6:50 PM: Quarantining All Traces: adrevolver cookie
6:50 PM: Quarantining All Traces: adserver cookie
6:50 PM: Quarantining All Traces: advertising cookie
6:50 PM: Quarantining All Traces: adviva cookie
6:50 PM: Quarantining All Traces: apmebf cookie
6:50 PM: Quarantining All Traces: ask cookie
6:50 PM: Quarantining All Traces: atlas dmt cookie
6:50 PM: Quarantining All Traces: atwola cookie
6:50 PM: Quarantining All Traces: banner cookie
6:50 PM: Quarantining All Traces: belnk cookie
6:50 PM: Quarantining All Traces: bluestreak cookie
6:50 PM: Quarantining All Traces: bravenet cookie
6:50 PM: Quarantining All Traces: bs.serving-sys cookie
6:50 PM: Quarantining All Traces: burstbeacon cookie
6:50 PM: Quarantining All Traces: burstnet cookie
6:50 PM: Quarantining All Traces: casalemedia cookie
6:50 PM: Quarantining All Traces: cc214142 cookie
6:50 PM: Quarantining All Traces: centrport net cookie
6:50 PM: Quarantining All Traces: clickandtrack cookie
6:50 PM: Quarantining All Traces: clickbank cookie
6:50 PM: Quarantining All Traces: coremetrics cookie
6:50 PM: Quarantining All Traces: exitexchange cookie
6:50 PM: Quarantining All Traces: falkag cookie
6:50 PM: Quarantining All Traces: fastclick cookie
6:50 PM: Quarantining All Traces: findthewebsiteyouneed cookie
6:50 PM: Quarantining All Traces: findwhat cookie
6:50 PM: Quarantining All Traces: go.com cookie
6:50 PM: Quarantining All Traces: hbmediapro cookie
6:50 PM: Quarantining All Traces: hitslink cookie
6:50 PM: Quarantining All Traces: infiads cookie
6:50 PM: Quarantining All Traces: maxserving cookie
6:50 PM: Quarantining All Traces: netster cookie
6:50 PM: Quarantining All Traces: nextag cookie
6:50 PM: Quarantining All Traces: overture cookie
6:50 PM: Quarantining All Traces: pointroll cookie
6:50 PM: Quarantining All Traces: pro-market cookie
6:50 PM: Quarantining All Traces: qksrv cookie
6:50 PM: Quarantining All Traces: questionmarket cookie
6:50 PM: Quarantining All Traces: realmedia cookie
6:50 PM: Quarantining All Traces: realtracker cookie
6:50 PM: Quarantining All Traces: revenue.net cookie
6:50 PM: Quarantining All Traces: ru4 cookie
6:50 PM: Quarantining All Traces: sb01 cookie
6:50 PM: Quarantining All Traces: screensavers.com cookie
6:50 PM: Quarantining All Traces: serving-sys cookie
6:50 PM: Quarantining All Traces: specificclick.com cookie
6:50 PM: Quarantining All Traces: starware.com cookie
6:50 PM: Quarantining All Traces: statcounter cookie
6:50 PM: Quarantining All Traces: stlyrics cookie
6:50 PM: Quarantining All Traces: targetnet cookie
6:50 PM: Quarantining All Traces: tradedoubler cookie
6:50 PM: Quarantining All Traces: trafficmp cookie
6:50 PM: Quarantining All Traces: tribalfusion cookie
6:50 PM: Quarantining All Traces: valuead cookie
6:50 PM: Quarantining All Traces: videodome cookie
6:50 PM: Quarantining All Traces: websponsors cookie
6:50 PM: Quarantining All Traces: webtrendslive cookie
6:50 PM: Quarantining All Traces: yieldmanager cookie
6:50 PM: Quarantining All Traces: zedo cookie
6:50 PM: Removal process completed. Elapsed time 00:00:45
********
6:20 PM: | Start of Session, Tuesday, December 13, 2005 |
6:20 PM: Spy Sweeper started
6:21 PM: Your spyware definitions have been updated.
6:22 PM: | End of Session, Tuesday, December 13, 2005 |



Results of ActiveScan:

Incident Status Location

Virus:Trj/Downloader.GSV Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0D23STU7\t4u[1].exe
Virus:Trj/Downloader.GSV Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C7OGSOMO\t4u[1].exe
Virus:Trj/Downloader.GSV Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SD6JOLYR\thanks[1].exe
Virus:Trj/Downloader.GSV Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SD6JOLYR\thanks[2].exe
Virus:Trj/Downloader.GSV Not disinfected C:\mt13u.exe


Results to the HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:44 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iub.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thanks again. Let me know if there is anything else that I need to do.

-Aaron
  • 0

#5
Antartic-Boy
Posted 14 December 2005 - 12:21 PM

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
-----------------------1

Download and install CleanUp! Here

Now open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

-----------------------2

Now please follow these instructions:
  • Generate uninstall list
  • Reopen HijackThis
  • Click on Config
  • Go to Misc Tools
  • Click the Open Uninstall Manager button
  • Click on Save list... and save it on Desktop
  • Generate startup list
  • Go to Misc Tools
  • Check the List also minor sections (full) checkbox
  • Click the Generate StartupList log button
  • Copy all the text and post it here along with the Uninstall list..
  • Close HijackThis..

  • 0

#6
Antartic-Boy
Posted 05 March 2006 - 04:29 PM

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP