Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT help wanted


  • Please log in to reply
2 replies to this topic

#1 alliesdad

alliesdad

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 08 March 2005 - 12:59 AM

Good Evening,

The following is a HJT log generated by my computer. Yesterday Norton reported a Bloodhound virus that it could not fix, and I have since run Spybot, Adaware, and xoftspy to no avail. They find and fix many items yet the problem remains. Panda on-line scan revealed Trj/Downloader.ATA and Trj/Startpage.SJ viruses.

Any suggestions on deletions would be greatly appreciated.


[SIZE=1]Logfile of HijackThis v1.99.1
Scan saved at 10:02:20 PM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
D:\CooLSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Customizer XP\RAMIdle.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\snrc20vj\snrc20vj.exe
C:\WINDOWS\System32\Pfvjnz.exe
C:\WINDOWS\System32\runmeng.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINDOWS\System32\ap9h4qmo.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\pruttct.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\System32\rdopolcy.exe
C:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\Toolbar\pib.exe
C:\PROGRA~1\Toolbar\TBPS.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\WINDOWS\System32\pruttct.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50220

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xmradio.com/xstream/service/account/index.jsp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xmradio.com/xstream/service/account/index.jsp

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {097D441A-6DBA-49AF-A1C1-DBE183907C16} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: SDWin32 Class - {0BF21DEE-1A18-4AFE-B8AE-705FAC3B9F31} - C:\WINDOWS\System32\gktfs.dll (file missing)

O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll

O2 - BHO: (no name) - {20A80D01-048F-4365-B269-CE0CACDB35C8} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {336CE970-94FF-4B1F-8C08-C84E41AB5EC4} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: SDWin32 Class - {420BFD9D-4944-4C99-A35F-3AA7462328EF} - C:\WINDOWS\System32\ygvcx.dll

O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll

O2 - BHO: (no name) - {6BDCE7DE-2136-4980-AFEB-EF80C658D988} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - {91B51C03-9A3E-4ADB-BDC0-AE670B6769D7} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {A56E0ED7-8DA3-46DF-84C7-674A806E837D} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {A6C49FE7-D298-4016-A718-FEAB5110D3E3} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll

O2 - BHO: (no name) - {AC9488CC-3BF9-4D28-8551-FED316BFCD68} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BE153388-0682-46BF-9737-03384031ADD0} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {C0A54932-8CAC-4D44-A3C0-77E64EC5FC9A} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {D10DD025-D00B-4F19-BF5D-821E17201D53} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {E5704083-2A31-4653-B42C-6BF96A50AB67} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {F3A5D7A7-EB16-4274-BE93-9961072B7CF1} - C:\Program Files\snrc20vj\snrc20vj.dll

O2 - BHO: (no name) - {FB7FAB97-8FC8-4899-B109-05593EFE55B1} - C:\Program Files\snrc20vj\snrc20vj.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - d:\Toolband.dll

O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [ijyxwhmvh] C:\WINDOWS\System32\zrjrmd.exe
O4 - HKLM\..\Run: [snrc20vj] C:\Program Files\snrc20vj\snrc20vj.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Pfvjnz.exe
O4 - HKLM\..\Run: [7F2U3qV] runmeng.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot

O4 - HKLM\..\RunServicesOnce: [washindex] D:\Program Files\washer\washidx.exe "Jay"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - HKCU\..\Run: [Mot8RkZtO] rdopolcy.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\System32\pruttct.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://d:\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://d:\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://d:\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://d:\Resource.dll/RC_Print.html

O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - D:\\CooLSrv.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 08 March 2005 - 06:27 PM

Hi There,

Do you have Adaware SE installed? I think you are still using an older version of adaware, because there are items present in your log that adaware Se can delete without any problems.
So if not installed, Download the latest version of Ad-Aware SE and update it!:
http://www.lavasoft.de/support/download/

* Download CWShredder.
Start CWShredder and click FIX

*Start hijackthis and place a checkmark before the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {097D441A-6DBA-49AF-A1C1-DBE183907C16} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: SDWin32 Class - {0BF21DEE-1A18-4AFE-B8AE-705FAC3B9F31} - C:\WINDOWS\System32\gktfs.dll (file missing)
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {20A80D01-048F-4365-B269-CE0CACDB35C8} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {336CE970-94FF-4B1F-8C08-C84E41AB5EC4} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: SDWin32 Class - {420BFD9D-4944-4C99-A35F-3AA7462328EF} - C:\WINDOWS\System32\ygvcx.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {6BDCE7DE-2136-4980-AFEB-EF80C658D988} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {91B51C03-9A3E-4ADB-BDC0-AE670B6769D7} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {A56E0ED7-8DA3-46DF-84C7-674A806E837D} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {A6C49FE7-D298-4016-A718-FEAB5110D3E3} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {AC9488CC-3BF9-4D28-8551-FED316BFCD68} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {BE153388-0682-46BF-9737-03384031ADD0} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {C0A54932-8CAC-4D44-A3C0-77E64EC5FC9A} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {D10DD025-D00B-4F19-BF5D-821E17201D53} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {E5704083-2A31-4653-B42C-6BF96A50AB67} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {F3A5D7A7-EB16-4274-BE93-9961072B7CF1} - C:\Program Files\snrc20vj\snrc20vj.dll
O2 - BHO: (no name) - {FB7FAB97-8FC8-4899-B109-05593EFE55B1} - C:\Program Files\snrc20vj\snrc20vj.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ijyxwhmvh] C:\WINDOWS\System32\zrjrmd.exe
O4 - HKLM\..\Run: [snrc20vj] C:\Program Files\snrc20vj\snrc20vj.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Pfvjnz.exe
O4 - HKLM\..\Run: [7F2U3qV] runmeng.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - HKCU\..\Run: [Mot8RkZtO] rdopolcy.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\System32\pruttct.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll



*Close ALL open windows except hijackthis and click: fix checked.

*Reboot into SAFE MODE
°To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

*Enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

*Delete the following files/folders if still present:

C:\Program Files\snrc20vj <== this folder
C:\WINDOWS\System32\Pfvjnz.exe
C:\WINDOWS\System32\runmeng.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\System32\rdopolcy.exe
C:\PROGRAM FILES\Toolbar<== this folder
C:\WINDOWS\System32\pruttct.exe
C:\Program Files\E2G <== this folder
C:\Program Files\MySearch <== this folder
C:\WINDOWS\System32\zrjrmd.exe
C:\WINDOWS\System32\netsync.exe
C:\WINDOWS\System32\sysmonnt

*Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

* Still in safe mode, perform a full scan with adaware se and let it delete everything it's finding!

*Reboot your computer back to normal mode.

*Perform an online virusscan:TrendMicro Housecall.

*Post a new hijackthislog for checkup.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 09 March 2005 - 06:23 AM

alliesdad, seems like I overlooked an item..

Check this one too in hijackthis:

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe

When in safe mode then, also delete this folder: C:\Program Files\Media Pass

Edited by miekiemoes, 09 March 2005 - 06:23 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users