Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Nearly Clean, But...


  • This topic is locked This topic is locked
7 replies to this topic

#1 Krawlspace

Krawlspace

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 05 January 2006 - 11:06 AM

Hi all!
XP machine with SP2

Ran and removed all results from NAV, AdAware and ewido, all with with latest updates.

Thanks in advance!!!!!!!

And if any other users check this thread for help with their problem, DONATE!!! Help the cause!!!
I did and now I sleep guilt free!!!

Here's the dope:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:46 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {DE55CFA5-5634-7CCA-4744-5A50D4513FC6} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {EB78FFA5-7B07-49FE-6A74-6A7DE46112F6} - (no file)
R3 - URLSearchHook: (no name) - {DA55CFD4-5636-0FCC-4741-5F50A7543FC2} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1203B096-6430-0794-5984-20F9CC43ECFD} - (no file)
O2 - BHO: (no name) - {15274483-8945-D2EF-67B6-850DF288A69C} - (no file)
O2 - BHO: (no name) - {15FB7C32-FAC3-CF62-A92D-EA35639BEEAC} - (no file)
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: (no name) - {250A7482-A476-93D7-4A86-B520C2B88BAD} - (no file)
O2 - BHO: (no name) - {36B123C4-A466-97C9-0EF9-B7E02D8DC2FB} - (no file)
O2 - BHO: (no name) - {40720207-CEC2-C63D-E6A0-C159A781F2CE} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - (no file)
O2 - BHO: (no name) - {705F3206-E3F1-8705-CB90-F17497B1DFFF} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\uyyc62.dll
O2 - BHO: (no name) - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O2 - BHO: (no name) - {841C0D00-8CF2-B856-C85A-CD57D5D223A0} - (no file)
O2 - BHO: (no name) - {A5DB8E50-5CA2-3D08-9A4B-193A130F0CF0} - (no file)
O2 - BHO: (no name) - {A87F6ACD-EB67-DBC5-0966-FE24B2260FAB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DA55CFD4-5636-0FCC-4741-5F50A7543FC2} - (no file)
O2 - BHO: (no name) - {DE55CFA5-5634-7CCA-4744-5A50D4513FC6} - (no file)
O2 - BHO: (no name) - {E8142A6C-F3C8-CE6F-F79C-E105D01717A3} - (no file)
O2 - BHO: (no name) - {EB78FFA5-7B07-49FE-6A74-6A7DE46112F6} - (no file)
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FE20CA43-15B3-291A-D4BF-06BBBBE456FB} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [u2p8rlh.exe] C:\WINDOWS\system32\u2p8rlh.exe /k
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt mt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [u2p8rlh.exe] C:\WINDOWS\system32\u2p8rlh.exe /k
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loader.com/load/ccaccess.cab
O20 - Winlogon Notify: ddayx - ddayx.dll (file missing)
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logwave - C:\WINDOWS\Help\logwave.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 PM

Posted 10 January 2006 - 09:33 PM

Hello Krawlspace,

Download win32delfkil.exe.

Save it on your desktop.

Double click on win32delfkil.exe and install it.
This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.

Post the contents of the logfile c:\windelf.txt, along with a new HijackThis log.

Edited by SifuMike, 10 January 2006 - 09:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Krawlspace

Krawlspace
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 11 January 2006 - 01:36 PM

Hi, SifuMike!

Thanks for taking the time!

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:35 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...e=EN_US&c=Q304&

bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

=

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ale=EN_US&c=Q30

4&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.web--search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...e=EN_US&c=Q304&

bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

=

http://red.clientapps.yahoo.com/customize/.../ymsgr6/*http:/

/www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...e=EN_US&c=Q304&

bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {DE55CFA5-5634-7CCA-4744-5A50D4513FC6}

- (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

- (no file)
R3 - URLSearchHook: (no name) - {EB78FFA5-7B07-49FE-6A74-6A7DE46112F6}

- (no file)
R3 - URLSearchHook: (no name) - {DA55CFD4-5636-0FCC-4741-5F50A7543FC2}

- (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no

file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}

- C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1203B096-6430-0794-5984-20F9CC43ECFD} - (no

file)
O2 - BHO: (no name) - {15274483-8945-D2EF-67B6-850DF288A69C} - (no

file)
O2 - BHO: (no name) - {15FB7C32-FAC3-CF62-A92D-EA35639BEEAC} - (no

file)
O2 - BHO: (no name) - {250A7482-A476-93D7-4A86-B520C2B88BAD} - (no

file)
O2 - BHO: (no name) - {36B123C4-A466-97C9-0EF9-B7E02D8DC2FB} - (no

file)
O2 - BHO: (no name) - {40720207-CEC2-C63D-E6A0-C159A781F2CE} - (no

file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no

file)
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - (no file)
O2 - BHO: (no name) - {705F3206-E3F1-8705-CB90-F17497B1DFFF} - (no

file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -

C:\WINDOWS\system32\uyyc62.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -

(no file)
O2 - BHO: (no name) - {841C0D00-8CF2-B856-C85A-CD57D5D223A0} - (no

file)
O2 - BHO: (no name) - {A5DB8E50-5CA2-3D08-9A4B-193A130F0CF0} - (no

file)
O2 - BHO: (no name) - {A87F6ACD-EB67-DBC5-0966-FE24B2260FAB} - (no

file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DA55CFD4-5636-0FCC-4741-5F50A7543FC2} - (no

file)
O2 - BHO: (no name) - {DE55CFA5-5634-7CCA-4744-5A50D4513FC6} - (no

file)
O2 - BHO: (no name) - {E8142A6C-F3C8-CE6F-F79C-E105D01717A3} - (no

file)
O2 - BHO: (no name) - {EB78FFA5-7B07-49FE-6A74-6A7DE46112F6} - (no

file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no

file)
O2 - BHO: (no name) - {FE20CA43-15B3-291A-D4BF-06BBBBE456FB} - (no

file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -

c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - (no

file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program

Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [u2p8rlh.exe] C:\WINDOWS\system32\u2p8rlh.exe /k
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt mt
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton

SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A}

/MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\RunOnce: [u2p8rlh.exe] C:\WINDOWS\system32\u2p8rlh.exe /k
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... -

C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}

- C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/...ite/yautocomple

te.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} -

http://content-loader.com/load/ccaccess.cab
O20 - Winlogon Notify: ddayx - ddayx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logwave - C:\WINDOWS\Help\logwave.dll (file

missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -

C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc.

- C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe








Windelf Log:


************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
cc.exe
prflbmsgp32.dll

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} REG_SZ st3
{16875E09-927B-4494-82BD-158A1CD46BA0} REG_SZ z

Notify key
----------
subkey st3 is present!
subkey gs is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

Notify key
----------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 PM

Posted 11 January 2006 - 05:11 PM

Hello Krawlspace,

You still have a bunch of malware on your computer. :thumbsup:
Let's remove it.

*******************************************

We have to stop a service.

Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.

Scroll down to:
System Startup Service
Click Stop, then Disable

Reboot your computer.

*******************************************

Open HijackThis. Click on 'Open the miscellaneous tools section'
Click on 'Delete an NT Service'
Paste in this:
SvcProc
and click 'OK'

Reboot your computer.

*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://red.clientapps.yahoo.com/customize/.../ymsgr6/*http:/
/www.yahoo.com
R3 - URLSearchHook: (no name) - {DE55CFA5-5634-7CCA-4744-5A50D4513FC6}
- (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
- (no file)
R3 - URLSearchHook: (no name) - {EB78FFA5-7B07-49FE-6A74-6A7DE46112F6}
- (no file)
R3 - URLSearchHook: (no name) - {DA55CFD4-5636-0FCC-4741-5F50A7543FC2}
- (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no
file)
O2 - BHO: (no name) - {1203B096-6430-0794-5984-20F9CC43ECFD} - (no
file)
O2 - BHO: (no name) - {15274483-8945-D2EF-67B6-850DF288A69C} - (no
file)
O2 - BHO: (no name) - {15FB7C32-FAC3-CF62-A92D-EA35639BEEAC} - (no
file)
O2 - BHO: (no name) - {250A7482-A476-93D7-4A86-B520C2B88BAD} - (no
file)
O2 - BHO: (no name) - {36B123C4-A466-97C9-0EF9-B7E02D8DC2FB} - (no
file)
O2 - BHO: (no name) - {40720207-CEC2-C63D-E6A0-C159A781F2CE} - (no
file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no
file)
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - (no file)
O2 - BHO: (no name) - {705F3206-E3F1-8705-CB90-F17497B1DFFF} - (no
file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -
C:\WINDOWS\system32\uyyc62.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -
(no file)
O2 - BHO: (no name) - {841C0D00-8CF2-B856-C85A-CD57D5D223A0} - (no
file)
O2 - BHO: (no name) - {A5DB8E50-5CA2-3D08-9A4B-193A130F0CF0} - (no
file)
O2 - BHO: (no name) - {A87F6ACD-EB67-DBC5-0966-FE24B2260FAB} - (no
file)
O2 - BHO: (no name) - {DA55CFD4-5636-0FCC-4741-5F50A7543FC2} - (no
file)
O2 - BHO: (no name) - {DE55CFA5-5634-7CCA-4744-5A50D4513FC6} - (no
file)
O2 - BHO: (no name) - {E8142A6C-F3C8-CE6F-F79C-E105D01717A3} - (no
file)
O2 - BHO: (no name) - {EB78FFA5-7B07-49FE-6A74-6A7DE46112F6} - (no
file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no
file)
O2 - BHO: (no name) - {FE20CA43-15B3-291A-D4BF-06BBBBE456FB} - (no
file)
O3 - Toolbar: (no name) - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - (no
file)
O4 - HKLM\..\RunOnce: [u2p8rlh.exe] C:\WINDOWS\system32\u2p8rlh.exe /k
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt mt
O4 - HKCU\..\RunOnce: [u2p8rlh.exe] C:\WINDOWS\system32\u2p8rlh.exe /k
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loader.com/load/ccaccess.cab
O20 - Winlogon Notify: ddayx - ddayx.dll (file missing)
O20 - Winlogon Notify: logwave - C:\WINDOWS\Help\logwave.dll (file
missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe (file missing)


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\u2p8rlh.exe <==file
C:\Program Files\apsi\wtta.exe <==file
C:\WINDOWS\Help\logwave.dll <==file
C:\WINDOWS\svcproc.exe <==file
xuadd.dll <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\windows.
ddayx.dll <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\windows.


*******************************************

CCleaner Tutorial

Let's empty the temp files:

Download CCleaner and install it. (default location is best).

1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.
In the Windows Tab:
o Clean all entries in the "Internet Explorer" section except Cookies.
o Clean all the entries in the "Windows Explorer" section.
o Clean all entries in the "System" section.
o Clean all entries in the "Advanced" section.
o Clean any others that you choose.
In the Applications Tab:
o Clean all except cookies in the Firefox/Mozilla section if you use it.
o Clean all in the Opera section if you use it.
o Clean Sun Java in the Internet Section.
o Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Please make sure that Word Wrap is turned OFF in Notepad before you copy and paste the HijackThis log here. Take a look at the log you just posted. It's an eye killer :flowers:

Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 12 January 2006 - 12:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Krawlspace

Krawlspace
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 12 January 2006 - 02:41 PM

Well smack my forehead and call me n00b. Sorry for the wordwrap issue. It looked funky when I posted but didn't dawn on me as to why.

OK so all steps taken as described. Only file found to delete was u2p8rlh.exe
All others non existant.

System seems stable and launches IE with no issues.

New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:35 PM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 PM

Posted 12 January 2006 - 02:50 PM

Hello Krawlspace,

Your log looks clean! :thumbsup:

Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Krawlspace

Krawlspace
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 12 January 2006 - 03:53 PM

THANK YOU SifuMike!!!!!!!

Edited by Krawlspace, 12 January 2006 - 03:54 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 PM

Posted 13 January 2006 - 09:12 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users