Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer


  • Please log in to reply
9 replies to this topic

#1 zachie97

zachie97

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 23 November 2005 - 07:21 PM

Here is my Hijackthis log. I ran the Virtumundo.exe program listed in one of these forums but I don't see any of the files it mentions in the Hijack log so I was wondering if I have got rid of it yet or not. I will also post the log from the virtumundo program in case it helps. Thanks in advance for all your help!!
Scan saved at 6:10:17 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.20\UWFX5_0001_N56M0311NetInstaller.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Childers Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: 4 Warn Alert.lnk = C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131577513265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://guest:guest@63.121.237.132/activex/AxisCamControl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/41/install/gtdownls.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib2.dancik.com/ib/download/actimagefull20816.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

Virtumundo Log:

[11/23/2005, 15:50:24] - Looking for Browser Helper Object [MSEvents Object]
[11/23/2005, 15:50:24] - 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO
[11/23/2005, 15:50:24] - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/23/2005, 15:50:24] - 3: {45AD732C-2CE2-4666-B366-B2214AD57A49} -
[11/23/2005, 15:50:24] - WARNING: 3: {45AD732C-2CE2-4666-B366-B2214AD57A49} - BHO Name is blank.
[11/23/2005, 15:50:24] - Checking for WinLogon Notify reference. (File: )
[11/23/2005, 15:50:24] - Couldn't find in Winlogon Notify. Ignoring {45AD732C-2CE2-4666-B366-B2214AD57A49}.
[11/23/2005, 15:50:24] - 4: {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - MSEvents Object
[11/23/2005, 15:50:24] - Found MSEvents Object!
[11/23/2005, 15:50:24] - File location: C:\WINDOWS\system32\awvvu.dll
[11/23/2005, 15:50:24] - Attempting to kill C:\WINDOWS\system32\awvvu.dll
[11/23/2005, 15:50:24] - Terminating Process: RUNDLL32.EXE
[11/23/2005, 15:50:24] - Terminating Process: IEXPLORE.EXE
[11/23/2005, 15:50:24] - Disabling Automatic Shell Restart
[11/23/2005, 15:50:24] - Terminating Process: EXPLORER.EXE
[11/23/2005, 15:50:25] - Suspending the NT Session Manager System Service
[11/23/2005, 15:50:25] - Terminating Windows NT Logon/Logoff Manager
[11/23/2005, 15:50:25] - Re-enabling Automatic Shell Restart
[11/23/2005, 15:50:25] - Renaming C:\WINDOWS\system32\awvvu.dll -> C:\WINDOWS\system32\awvvu.dll.vir
[11/23/2005, 15:50:25] - File successfully renamed!
[11/23/2005, 15:50:25] - Removing Registry references to {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
[11/23/2005, 15:50:25] - Adding Internet Explorer Protection (Kill ActiveX) for {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
[11/23/2005, 15:50:25] - Removing Winlogon Notify Entry: awvvu
[11/23/2005, 15:50:25] - BHO list has been changed! Starting over...
[11/23/2005, 15:50:25] - 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO
[11/23/2005, 15:50:25] - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/23/2005, 15:50:25] - 3: {45AD732C-2CE2-4666-B366-B2214AD57A49} -
[11/23/2005, 15:50:25] - WARNING: 3: {45AD732C-2CE2-4666-B366-B2214AD57A49} - BHO Name is blank.
[11/23/2005, 15:50:25] - Checking for WinLogon Notify reference. (File: )
[11/23/2005, 15:50:25] - Couldn't find in Winlogon Notify. Ignoring {45AD732C-2CE2-4666-B366-B2214AD57A49}.
[11/23/2005, 15:50:25] - 4: {9527D42F-D666-11D3-B8DD-00600838CD5F} - IEWatchObj Class
[11/23/2005, 15:50:25] - 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/23/2005, 15:50:25] - Finished searching for [MSEvents Object]
[11/23/2005, 15:50:25] - Finishing up...
[11/23/2005, 15:50:25] - Enabling Automatic Reboot on STOP Error.
[11/23/2005, 15:50:25] - Attempting to Restart via STOP error (Blue Screen!)

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:20 AM

Posted 27 November 2005 - 05:04 AM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#3 zachie97

zachie97
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 November 2005 - 05:47 PM

Here's my Spysweeper Log:

4:30 PM: Spy Sweeper started
4:30 PM: Sweep initiated using definitions version 574
4:30 PM: Starting Memory Sweep
4:32 PM: Memory Sweep Complete, Elapsed Time: 00:02:18
4:32 PM: Starting Registry Sweep
4:32 PM: Found Adware: comet cursor
4:32 PM: HKCR\appid\dmserver.exe\ (1 subtraces) (ID = 106303)
4:32 PM: HKLM\software\classes\appid\dmserver.exe\ (1 subtraces) (ID = 106525)
4:32 PM: Found Adware: delfin
4:32 PM: HKLM\software\mvu\ (2 subtraces) (ID = 124885)
4:32 PM: Found Adware: elitemediagroup-mediamotor
4:32 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
4:32 PM: Found Adware: search fast communicator toolbar
4:32 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140698)
4:32 PM: Found Adware: quicklink search toolbar
4:32 PM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
4:32 PM: Found Adware: shopathomeselect
4:32 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall6.dll\ (2 subtraces) (ID = 509618)
4:32 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
4:32 PM: Found Adware: winantispyware 2005
4:32 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\fcrxml.dll (ID = 819066)
4:32 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\prcheck.dll (ID = 819067)
4:32 PM: HKCR\uwfxpcheck.uwfxpcheck.1\ (3 subtraces) (ID = 970282)
4:32 PM: HKCR\uwfxpcheck.uwfxpcheck\ (5 subtraces) (ID = 970286)
4:32 PM: HKCR\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\ (14 subtraces) (ID = 970474)
4:32 PM: HKCR\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\ (9 subtraces) (ID = 970551)
4:32 PM: HKLM\software\classes\uwfxpcheck.uwfxpcheck.1\ (3 subtraces) (ID = 970710)
4:32 PM: HKLM\software\classes\uwfxpcheck.uwfxpcheck\ (5 subtraces) (ID = 970714)
4:32 PM: HKLM\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\ (14 subtraces) (ID = 970909)
4:32 PM: HKLM\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\ (9 subtraces) (ID = 970986)
4:32 PM: HKU\S-1-5-21-346637467-2071065246-964273269-1007\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:32 PM: HKU\S-1-5-21-346637467-2071065246-964273269-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:33 PM: Registry Sweep Complete, Elapsed Time:00:00:23
4:33 PM: Starting Cookie Sweep
4:33 PM: Found Spy Cookie: 2o7.net cookie
4:33 PM: childers family@2o7[2].txt (ID = 1957)
4:33 PM: Found Spy Cookie: about cookie
4:33 PM: childers family@about[1].txt (ID = 2037)
4:33 PM: Found Spy Cookie: adrevolver cookie
4:33 PM: childers family@adrevolver[1].txt (ID = 2088)
4:33 PM: childers family@adrevolver[2].txt (ID = 2088)
4:33 PM: Found Spy Cookie: ads.adsag cookie
4:33 PM: childers family@ads.adsag[1].txt (ID = 2108)
4:33 PM: Found Spy Cookie: pointroll cookie
4:33 PM: childers family@ads.pointroll[2].txt (ID = 3148)
4:33 PM: Found Spy Cookie: advertising cookie
4:33 PM: childers family@advertising[1].txt (ID = 2175)
4:33 PM: Found Spy Cookie: apmebf cookie
4:33 PM: childers family@apmebf[2].txt (ID = 2229)
4:33 PM: Found Spy Cookie: ask cookie
4:33 PM: childers family@ask[1].txt (ID = 2245)
4:33 PM: Found Spy Cookie: atlas dmt cookie
4:33 PM: childers family@atdmt[2].txt (ID = 2253)
4:33 PM: Found Spy Cookie: atwola cookie
4:33 PM: childers family@atwola[1].txt (ID = 2255)
4:33 PM: childers family@bbq.about[2].txt (ID = 2038)
4:33 PM: Found Spy Cookie: belnk cookie
4:33 PM: childers family@belnk[1].txt (ID = 2292)
4:33 PM: Found Spy Cookie: bs.serving-sys cookie
4:33 PM: childers family@bs.serving-sys[1].txt (ID = 2330)
4:33 PM: Found Spy Cookie: burstnet cookie
4:33 PM: childers family@burstnet[2].txt (ID = 2336)
4:33 PM: Found Spy Cookie: zedo cookie
4:33 PM: childers family@c1.zedo[1].txt (ID = 3763)
4:33 PM: Found Spy Cookie: casalemedia cookie
4:33 PM: childers family@casalemedia[1].txt (ID = 2354)
4:33 PM: Found Spy Cookie: centrport net cookie
4:33 PM: childers family@centrport[2].txt (ID = 2374)
4:33 PM: Found Spy Cookie: clickbank cookie
4:33 PM: childers family@clickbank[2].txt (ID = 2398)
4:33 PM: Found Spy Cookie: 360i cookie
4:33 PM: childers family@ct.360i[2].txt (ID = 1962)
4:33 PM: Found Spy Cookie: coremetrics cookie
4:33 PM: childers family@data.coremetrics[1].txt (ID = 2472)
4:33 PM: childers family@dist.belnk[2].txt (ID = 2293)
4:33 PM: Found Spy Cookie: ru4 cookie
4:33 PM: childers family@edge.ru4[1].txt (ID = 3269)
4:33 PM: Found Spy Cookie: fastclick cookie
4:33 PM: childers family@fastclick[2].txt (ID = 2651)
4:33 PM: Found Spy Cookie: humanclick cookie
4:33 PM: childers family@hc2.humanclick[1].txt (ID = 2810)
4:33 PM: childers family@homecooking.about[2].txt (ID = 2038)
4:33 PM: Found Spy Cookie: linksynergy cookie
4:33 PM: childers family@linksynergy[2].txt (ID = 2926)
4:33 PM: Found Spy Cookie: overture cookie
4:33 PM: childers family@perf.overture[1].txt (ID = 3106)
4:33 PM: Found Spy Cookie: questionmarket cookie
4:33 PM: childers family@questionmarket[2].txt (ID = 3217)
4:33 PM: Found Spy Cookie: realmedia cookie
4:33 PM: childers family@realmedia[1].txt (ID = 3235)
4:33 PM: Found Spy Cookie: reunion cookie
4:33 PM: childers family@reunion[2].txt (ID = 3255)
4:33 PM: Found Spy Cookie: serving-sys cookie
4:33 PM: childers family@serving-sys[2].txt (ID = 3343)
4:33 PM: childers family@southernfood.about[2].txt (ID = 2038)
4:33 PM: Found Spy Cookie: dealtime cookie
4:33 PM: childers family@stat.dealtime[1].txt (ID = 2506)
4:33 PM: Found Spy Cookie: statcounter cookie
4:33 PM: childers family@statcounter[1].txt (ID = 3447)
4:33 PM: Found Spy Cookie: reliablestats cookie
4:33 PM: childers family@stats1.reliablestats[2].txt (ID = 3254)
4:33 PM: Found Spy Cookie: trb.com cookie
4:33 PM: childers family@trb[1].txt (ID = 3587)
4:33 PM: Found Spy Cookie: tribalfusion cookie
4:33 PM: childers family@tribalfusion[1].txt (ID = 3589)
4:33 PM: Found Spy Cookie: realtracker cookie
4:33 PM: childers family@web4.realtracker[2].txt (ID = 3242)
4:33 PM: Found Spy Cookie: burstbeacon cookie
4:33 PM: childers family@www.burstbeacon[1].txt (ID = 2335)
4:33 PM: Found Spy Cookie: myaffiliateprogram.com cookie
4:33 PM: childers family@www.myaffiliateprogram[1].txt (ID = 3032)
4:33 PM: childers family@zedo[2].txt (ID = 3762)
4:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
4:33 PM: Starting File Sweep
4:33 PM: c:\program files\quick links (1 subtraces) (ID = -2147478145)
4:33 PM: c:\program files\communicator toolbar (465 subtraces) (ID = -2147480362)
4:33 PM: c:\program files\common files\winsoftware (2 subtraces) (ID = -2147476682)
4:34 PM: Found Adware: icondroppers
4:34 PM: myurlsagain.exe (ID = 62593)
4:35 PM: qldf.bin (ID = 131688)
4:36 PM: Found Adware: directrevenue-abetterinternet
4:36 PM: 0b5bd642-dd75-4353-a9df-dd1f85 (ID = 146599)
4:38 PM: 7ffj9ltd.dll (ID = 130512)
4:38 PM: dfdr.sys (ID = 188536)
4:39 PM: 1178532c-7e49-4f8c-9048-db62a9 (ID = 146599)
4:40 PM: 7hjvj0g9.dat (ID = 121494)
4:40 PM: t98jeqc2.exe (ID = 130513)
4:42 PM: hisistheurls.exe (ID = 62594)
4:42 PM: grinstall.inf (ID = 75773)
4:42 PM: Found Adware: zenosearchassistant
4:42 PM: zxdnt3d.cfg (ID = 91140)
4:42 PM: File Sweep Complete, Elapsed Time: 00:09:40
4:42 PM: Full Sweep has completed. Elapsed time 00:12:27
4:42 PM: Traces Found: 626
4:43 PM: Removal process initiated
4:43 PM: Quarantining All Traces: directrevenue-abetterinternet
4:43 PM: Quarantining All Traces: comet cursor
4:43 PM: Quarantining All Traces: delfin
4:43 PM: Quarantining All Traces: elitemediagroup-mediamotor
4:43 PM: Quarantining All Traces: icondroppers
4:43 PM: Quarantining All Traces: quicklink search toolbar
4:43 PM: Quarantining All Traces: search fast communicator toolbar
4:43 PM: Quarantining All Traces: shopathomeselect
4:43 PM: Quarantining All Traces: winantispyware 2005
4:43 PM: Quarantining All Traces: zenosearchassistant
4:43 PM: Quarantining All Traces: 2o7.net cookie
4:43 PM: Quarantining All Traces: 360i cookie
4:43 PM: Quarantining All Traces: about cookie
4:43 PM: Quarantining All Traces: adrevolver cookie
4:43 PM: Quarantining All Traces: ads.adsag cookie
4:43 PM: Quarantining All Traces: advertising cookie
4:43 PM: Quarantining All Traces: apmebf cookie
4:43 PM: Quarantining All Traces: ask cookie
4:43 PM: Quarantining All Traces: atlas dmt cookie
4:43 PM: Quarantining All Traces: atwola cookie
4:43 PM: Quarantining All Traces: belnk cookie
4:43 PM: Quarantining All Traces: bs.serving-sys cookie
4:43 PM: Quarantining All Traces: burstbeacon cookie
4:43 PM: Quarantining All Traces: burstnet cookie
4:43 PM: Quarantining All Traces: casalemedia cookie
4:43 PM: Quarantining All Traces: centrport net cookie
4:43 PM: Quarantining All Traces: clickbank cookie
4:43 PM: Quarantining All Traces: coremetrics cookie
4:43 PM: Quarantining All Traces: dealtime cookie
4:43 PM: Quarantining All Traces: fastclick cookie
4:43 PM: Quarantining All Traces: humanclick cookie
4:43 PM: Quarantining All Traces: linksynergy cookie
4:43 PM: Quarantining All Traces: myaffiliateprogram.com cookie
4:43 PM: Quarantining All Traces: overture cookie
4:43 PM: Quarantining All Traces: pointroll cookie
4:43 PM: Quarantining All Traces: questionmarket cookie
4:43 PM: Quarantining All Traces: realmedia cookie
4:43 PM: Quarantining All Traces: realtracker cookie
4:43 PM: Quarantining All Traces: reliablestats cookie
4:43 PM: Quarantining All Traces: reunion cookie
4:43 PM: Quarantining All Traces: ru4 cookie
4:43 PM: Quarantining All Traces: serving-sys cookie
4:43 PM: Quarantining All Traces: statcounter cookie
4:43 PM: Quarantining All Traces: trb.com cookie
4:43 PM: Quarantining All Traces: tribalfusion cookie
4:43 PM: Quarantining All Traces: zedo cookie
4:44 PM: Removal process completed. Elapsed time 00:00:42
********
4:29 PM: | Start of Session, Sunday, November 27, 2005 |
4:29 PM: Spy Sweeper started
4:30 PM: Your spyware definitions have been updated.
4:30 PM: | End of Session, Sunday, November 27, 2005 |

#4 zachie97

zachie97
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 November 2005 - 05:54 PM

And here's my new HJT log after reboot.Thanks for your help!!!!

Scan saved at 4:49:25 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Childers Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: 4 Warn Alert.lnk = C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131577513265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://guest:guest@63.121.237.132/activex/AxisCamControl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/41/install/gtdownls.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib2.dancik.com/ib/download/actimagefull20816.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

#5 zachie97

zachie97
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 November 2005 - 05:56 PM

And here's my new HJT log after reboot.Thanks for your help!!!!

Scan saved at 4:49:25 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Childers Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: 4 Warn Alert.lnk = C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131577513265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://guest:guest@63.121.237.132/activex/AxisCamControl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/41/install/gtdownls.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib2.dancik.com/ib/download/actimagefull20816.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:20 AM

Posted 28 November 2005 - 11:52 AM

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)

O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://guest:guest@63.121.237.132/activex/AxisCamControl.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -


Post new HJT log

How's everything running?

David :thumbsup:

#7 zachie97

zachie97
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 28 November 2005 - 01:45 PM

Here's the new HJT log. My computer has been running fine, we were tired of the Winfixer pop ups everytime we went on-line and I couldn't get it off my computer. I think I had it pretty much stopped using my firewall and the Winpatrol program, but I wanted to make sure it was deleted from my hard drive. I really appreciate all your help.

Scan saved at 12:37:10 PM, on 11/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Childers Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Childers Family\My Documents\Downloads\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: 4 Warn Alert.lnk = C:\Program Files\Common Files\4 Warn Alert\TrueWeather.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131577513265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/41/install/gtdownls.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib2.dancik.com/ib/download/actimagefull20816.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:20 AM

Posted 28 November 2005 - 01:50 PM

Ok! Glad i was able to help you! :thumbsup:

The log is clean! :flowers:

If i have helped you please consider making a donation using the "make a donation" button in my signature. My help is free, but please consider it to keep me fighting spyware for you and others! :trumpet: :inlove:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

David

#9 zachie97

zachie97
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 28 November 2005 - 05:19 PM

Great job David!! Hope my little donation help... Thanks Shannon :thumbsup:

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:20 AM

Posted 29 November 2005 - 01:43 PM

Thanks very much again! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users