Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Is Cursed Wil Every Thing At Once


  • This topic is locked This topic is locked
14 replies to this topic

#1 fatewitch

fatewitch

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 16 February 2006 - 09:33 PM

i am unable to system restore or access the command prompt window or access regedit threw run dialog window .......i have multiple pop ups getting past a pop up blocker tighter than fort knox please help i am missing valuable Civ 4 time :thumbsup:







Logfile of HijackThis v1.99.1
Scan saved at 9:20:35 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms10-998215863.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\My Documents\My Videos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Dan\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\Danny\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [8.tmp.exe] C:\DOCUME~1\Danny\LOCALS~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\Danny\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms10-998215863] C:\WINDOWS\ms10-998215863.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 3
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officeint.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103343161750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131619747359
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-01AA0055595A} - http://truesuite.com/truewatch/TrueWatchInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{47600791-2581-46AC-99F0-1F6C6A3F4CDB}: NameServer = 85.255.115.29,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{47600791-2581-46AC-99F0-1F6C6A3F4CDB}: NameServer = 85.255.115.29,85.255.112.140
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 18 February 2006 - 06:32 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )

Fix these with HJT – mark them, close IE, click fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{47600791-2581-46AC-99F0-1F6C6A3F4CDB}: NameServer = 85.255.115.29,85.255.112.140

O17 - HKLM\System\CS1\Services\Tcpip\..\{47600791-2581-46AC-99F0-1F6C6A3F4CDB}: NameServer = 85.255.115.29,85.255.112.140
If you have connection problems after this

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
· Double-click the Network Connections icon
· Right-click the Local Area Connection icon and select Properties.
· Hilight Internet Protocol (TCP/IP) and click the Properties button.
· Be sure Obtain DNS server address automatically is selected.
· OK your way out.


* Go to Start > Run and type in cmd
· Click OK.
· This will open a commad prompt.
· Type or copy and paste the following line in the command window:

ipconfig /flushdns
· Hit Enter
· Exit the command window

Do that before you restart.

=============
At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

And run FixWareout again.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 20 February 2006 - 06:14 PM

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hzgmd
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmgzh.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMGZH.EXE
C:\WINDOWS\SYSTEM32\CSBHZ.EXE
* csr.exe C:\WINDOWS\System32\CSBHZ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool
Logfile of HijackThis v1.99.1
Scan saved at 6:13:38 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys0298215863-9.exe
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\My Documents\My Videos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Dan\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0298215863-9] C:\WINDOWS\sys0298215863-9.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [dmvkg.exe] C:\WINDOWS\system32\dmvkg.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officeint.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103343161750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131619747359
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-01AA0055595A} - http://truesuite.com/truewatch/TrueWatchInstall.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 20 February 2006 - 06:16 PM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 20 February 2006 - 09:12 PM

This is the spy sweeper log and the latest hijack this log
i am still unable to get a command prompt window/regedit or system restore

i get an error message saying cmd is not a valid win32 application


********
7:57 PM: | Start of Session, Monday, February 20, 2006 |
7:57 PM: Spy Sweeper started
7:57 PM: Sweep initiated using definitions version 617
7:57 PM: Starting Memory Sweep
7:58 PM: Found Trojan Horse: trojan-downloader-ruin
7:58 PM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
7:59 PM: Found Adware: enbrowser
7:59 PM: Detected running threat: C:\WINDOWS\SYSC00.exe (ID = 244277)
7:59 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || TheMonitor (ID = 0)
8:00 PM: Detected running threat: C:\Program Files\Internet Explorer\iexplore.exe (ID = 81)
8:01 PM: Memory Sweep Complete, Elapsed Time: 00:03:57
8:01 PM: Starting Registry Sweep
8:01 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (1 subtraces) (ID = 605128)
8:01 PM: Found Adware: visfx
8:01 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (1 subtraces) (ID = 712951)
8:01 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
8:01 PM: Found Adware: command
8:01 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
8:01 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
8:01 PM: HKLM\software\microsoft\windows\currentversion\run\ || themonitor (ID = 1028873)
8:01 PM: Found Adware: quicklink search toolbar
8:01 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (5 subtraces) (ID = 1134093)
8:01 PM: Found Adware: dollarrevenue
8:01 PM: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
8:01 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (5 subtraces) (ID = 1134251)
8:01 PM: HKU\S-1-5-21-796845957-764733703-682003330-1006\software\system\sysuid\ (1 subtraces) (ID = 731748)
8:01 PM: Registry Sweep Complete, Elapsed Time:00:00:29
8:01 PM: Starting Cookie Sweep
8:01 PM: Found Spy Cookie: 80503492 cookie
8:01 PM: dan@80503492[2].txt (ID = 2013)
8:01 PM: Found Spy Cookie: websponsors cookie
8:01 PM: dan@a.websponsors[2].txt (ID = 3665)
8:01 PM: Found Spy Cookie: yieldmanager cookie
8:01 PM: dan@ad.yieldmanager[1].txt (ID = 3751)
8:01 PM: dan@ad.yieldmanager[2].txt (ID = 3751)
8:01 PM: Found Spy Cookie: adknowledge cookie
8:01 PM: dan@adknowledge[2].txt (ID = 2072)
8:01 PM: Found Spy Cookie: hbmediapro cookie
8:01 PM: dan@adopt.hbmediapro[2].txt (ID = 2768)
8:01 PM: Found Spy Cookie: pointroll cookie
8:01 PM: dan@ads.pointroll[2].txt (ID = 3148)
8:01 PM: Found Spy Cookie: banners cookie
8:01 PM: dan@banners[1].txt (ID = 2282)
8:01 PM: dan@banners[2].txt (ID = 2282)
8:01 PM: Found Spy Cookie: bluestreak cookie
8:01 PM: dan@bluestreak[2].txt (ID = 2314)
8:01 PM: Found Spy Cookie: casalemedia cookie
8:01 PM: dan@casalemedia[2].txt (ID = 2354)
8:01 PM: Found Spy Cookie: exitexchange cookie
8:01 PM: dan@exitexchange[2].txt (ID = 2633)
8:01 PM: Found Spy Cookie: clickandtrack cookie
8:01 PM: dan@hits.clickandtrack[2].txt (ID = 2397)
8:01 PM: Found Spy Cookie: 2o7.net cookie
8:01 PM: dan@msnportal.112.2o7[1].txt (ID = 1958)
8:01 PM: dan@partygaming.122.2o7[1].txt (ID = 1958)
8:01 PM: Found Spy Cookie: partypoker cookie
8:01 PM: dan@partypoker[1].txt (ID = 3111)
8:01 PM: Found Spy Cookie: overture cookie
8:01 PM: dan@perf.overture[1].txt (ID = 3106)
8:01 PM: Found Spy Cookie: realmedia cookie
8:01 PM: dan@realmedia[1].txt (ID = 3235)
8:01 PM: Found Spy Cookie: revenue.net cookie
8:01 PM: dan@revenue[1].txt (ID = 3257)
8:01 PM: Found Spy Cookie: server.iad.liveperson cookie
8:01 PM: dan@server.iad.liveperson[2].txt (ID = 3341)
8:01 PM: Found Spy Cookie: tacoda cookie
8:01 PM: dan@tacoda[2].txt (ID = 6444)
8:01 PM: Found Spy Cookie: trafficmp cookie
8:01 PM: dan@trafficmp[1].txt (ID = 3581)
8:01 PM: Found Spy Cookie: videodome cookie
8:01 PM: dan@videodome[1].txt (ID = 3638)
8:01 PM: Found Spy Cookie: stopzilla cookie
8:01 PM: dan@www.stopzilla[1].txt (ID = 3466)
8:01 PM: dan@yieldmanager[1].txt (ID = 3749)
8:01 PM: Found Spy Cookie: adserver cookie
8:01 PM: dan@z1.adserver[1].txt (ID = 2142)
8:01 PM: Found Spy Cookie: zedo cookie
8:01 PM: dan@zedo[1].txt (ID = 3762)
8:01 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
8:01 PM: Starting File Sweep
8:02 PM: Found Adware: surfsidekick
8:02 PM: c:\program files\common files\vcclient (5 subtraces) (ID = -2147461290)
8:02 PM: a0197596.exe (ID = 147)
8:02 PM: a0208380.exe (ID = 147)
8:02 PM: a0209841.exe (ID = 147)
8:02 PM: a0209824.exe (ID = 246)
8:02 PM: a0208132.exe (ID = 147)
8:02 PM: a0209829.exe (ID = 147)
8:02 PM: a0208283.exe (ID = 246)
8:03 PM: a0208373.exe (ID = 246)
8:03 PM: Found Trojan Horse: trojan-downloader-adaware.cc
8:03 PM: a0145924.exe (ID = 216039)
8:03 PM: a0198687.exe (ID = 147)
8:03 PM: a0208106.exe (ID = 147)
8:04 PM: a0209423.exe (ID = 147)
8:04 PM: a0207982.exe (ID = 231443)
8:04 PM: a0208407.exe (ID = 246)
8:04 PM: a0209860.exe (ID = 147)
8:04 PM: a0208425.exe (ID = 147)
8:04 PM: a0196596.exe (ID = 147)
8:04 PM: a0208417.exe (ID = 246)
8:04 PM: a0209417.exe (ID = 246)
8:04 PM: a0209436.exe (ID = 147)
8:04 PM: a0209428.exe (ID = 246)
8:04 PM: a0209854.exe (ID = 147)
8:04 PM: a0209439.exe (ID = 246)
8:04 PM: a0209454.exe (ID = 246)
8:04 PM: a0209469.exe (ID = 246)
8:05 PM: a0209488.exe (ID = 246)
8:05 PM: a0208413.exe (ID = 147)
8:05 PM: a0209505.exe (ID = 246)
8:05 PM: a0209529.exe (ID = 246)
8:05 PM: a0208288.exe (ID = 147)
8:05 PM: a0206749.exe (ID = 147)
8:05 PM: a0209462.exe (ID = 147)
8:05 PM: a0209474.exe (ID = 147)
8:05 PM: a0209533.exe (ID = 246)
8:05 PM: a0209565.exe (ID = 246)
8:05 PM: a0209589.exe (ID = 246)
8:05 PM: a0209617.exe (ID = 246)
8:06 PM: a0208209.exe (ID = 244278)
8:06 PM: a0209800.exe (ID = 246)
8:06 PM: a0209836.exe (ID = 246)
8:06 PM: a0209813.exe (ID = 246)
8:06 PM: dmgas.exe (ID = 147)
8:06 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || dmgas.exe (ID = 0)
8:06 PM: a0209880.exe (ID = 147)
8:07 PM: a0209888.exe (ID = 147)
8:07 PM: a0209849.exe (ID = 246)
8:07 PM: csbhz.exe (ID = 246)
8:07 PM: a0197632.exe (ID = 147)
8:07 PM: a0199686.exe (ID = 147)
8:07 PM: uninstall_nmon.vbs (ID = 231442)
8:07 PM: Found Adware: maxifiles
8:07 PM: a0200730.exe (ID = 185254)
8:07 PM: a0206753.exe (ID = 147)
8:07 PM: a0207787.exe (ID = 147)
8:07 PM: a0206771.exe (ID = 147)
8:08 PM: a0157427.exe (ID = 216039)
8:08 PM: a0201738.exe (ID = 147)
8:08 PM: a0205744.exe (ID = 147)
8:08 PM: a0207827.exe (ID = 147)
8:09 PM: a0209510.exe (ID = 147)
8:09 PM: a0209447.exe (ID = 147)
8:09 PM: a0209538.exe (ID = 147)
8:09 PM: a0197661.exe (ID = 147)
8:09 PM: a0209493.exe (ID = 147)
8:10 PM: a0209570.exe (ID = 147)
8:10 PM: a0209594.exe (ID = 147)
8:10 PM: pf78.exe (ID = 244430)
8:10 PM: a0209622.exe (ID = 147)
8:10 PM: a0209818.exe (ID = 147)
8:10 PM: a0198663.exe (ID = 147)
8:10 PM: a0146376.exe (ID = 216039)
8:11 PM: a0199733.exe (ID = 147)
8:11 PM: a0209624.exe (ID = 147)
8:13 PM: a0199734.exe (ID = 185254)
8:13 PM: a0200731.exe (ID = 147)
8:13 PM: a0201735.exe (ID = 185254)
8:13 PM: a0208018.exe (ID = 185254)
8:14 PM: a0146097.exe (ID = 216039)
8:15 PM: a0145580.exe (ID = 216039)
8:22 PM: a0207967.exe (ID = 244295)
8:25 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
8:25 PM: a0209805.exe (ID = 147)
8:25 PM: Found Adware: idesk
8:25 PM: dc10.sys (ID = 205674)
8:26 PM: a0208350.exe (ID = 246)
8:26 PM: a0208252.exe (ID = 246)
8:26 PM: a0196582.exe (ID = 147)
8:26 PM: a0208259.exe (ID = 147)
8:26 PM: a0208358.exe (ID = 147)
8:26 PM: a0208093.exe (ID = 147)
8:27 PM: sysc00.exe (ID = 244277)
8:27 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || TheMonitor (ID = 0)
8:27 PM: a0209527.exe (ID = 244278)
8:27 PM: dc9.exe (ID = 232868)
8:27 PM: a0197621.exe (ID = 147)
8:27 PM: a0196570.exe (ID = 147)
8:29 PM: vcupdate.exe.config (ID = 212361)
8:33 PM: a0208045.exe (ID = 147)
8:42 PM: a0208005.exe (ID = 244271)
8:42 PM: uni_eh.exe (ID = 245110)
8:42 PM: unin101.exe (ID = 245111)
8:45 PM: a0200772.cfg (ID = 208796)
8:49 PM: Warning: Failed to open file "c:\documents and settings\dan\local settings\temporary internet files\content.ie5\vmfwoehe\sspsetup4129_1850904522[1].exe:zone.identifier". The system cannot find the file specified
8:49 PM: Found Adware: tibs dialer
8:49 PM: xxx.lnk (ID = 79520)
8:50 PM: Found Trojan Horse: trojan-downloader-perlink.biz
8:50 PM: a0145576.exe (ID = 212699)
8:50 PM: a0145922.exe (ID = 212699)
8:50 PM: a0146095.exe (ID = 212699)
8:50 PM: a0146374.exe (ID = 212699)
8:50 PM: dc5.exe (ID = 212699)
8:50 PM: Found Adware: webhancer
8:50 PM: a0200749.ini (ID = 188794)
8:50 PM: vcclient.exe.config (ID = 212358)
8:50 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
Access is denied
8:53 PM: File Sweep Complete, Elapsed Time: 00:51:36
8:53 PM: Full Sweep has completed. Elapsed time 00:56:12
8:53 PM: Traces Found: 184
8:53 PM: Processing Startup Alerts
8:53 PM: Allowed Startup entry: Yahoo! Pager
8:55 PM: Removal process initiated
8:55 PM: Quarantining All Traces: adknowledge cookie
8:55 PM: Quarantining All Traces: adserver cookie
8:55 PM: Quarantining All Traces: banners cookie
8:55 PM: Quarantining All Traces: bluestreak cookie
8:55 PM: Quarantining All Traces: casalemedia cookie
8:55 PM: Quarantining All Traces: clickandtrack cookie
8:55 PM: Quarantining All Traces: exitexchange cookie
8:55 PM: Quarantining All Traces: hbmediapro cookie
8:55 PM: Quarantining All Traces: overture cookie
8:55 PM: Quarantining All Traces: partypoker cookie
8:55 PM: Quarantining All Traces: realmedia cookie
8:55 PM: Quarantining All Traces: revenue.net cookie
8:55 PM: Quarantining All Traces: tacoda cookie
8:55 PM: Quarantining All Traces: trafficmp cookie
8:55 PM: Quarantining All Traces: videodome cookie
8:55 PM: Quarantining All Traces: websponsors cookie
8:55 PM: Quarantining All Traces: zedo cookie
8:55 PM: Quarantining All Traces: trojan-downloader-ruin
8:55 PM: Warning: Unable to quarantine C:\WINDOWS\explorer.exe. This is a protected operating system file.
8:56 PM: Failed to quarantine trojan-downloader-ruin
8:56 PM: Quarantining All Traces: enbrowser
8:56 PM: enbrowser is in use. It will be removed on reboot.
8:56 PM: Quarantining All Traces: visfx
8:56 PM: Quarantining All Traces: command
8:56 PM: Quarantining All Traces: quicklink search toolbar
8:56 PM: Quarantining All Traces: dollarrevenue
8:56 PM: Quarantining All Traces: 80503492 cookie
8:56 PM: Quarantining All Traces: yieldmanager cookie
8:56 PM: Quarantining All Traces: pointroll cookie
8:56 PM: Quarantining All Traces: 2o7.net cookie
8:56 PM: Quarantining All Traces: server.iad.liveperson cookie
8:56 PM: Quarantining All Traces: stopzilla cookie
8:56 PM: Quarantining All Traces: surfsidekick
8:56 PM: Quarantining All Traces: trojan-downloader-adaware.cc
8:56 PM: Quarantining All Traces: maxifiles
8:56 PM: Quarantining All Traces: idesk
8:56 PM: Quarantining All Traces: tibs dialer
8:56 PM: Quarantining All Traces: trojan-downloader-perlink.biz
8:56 PM: Quarantining All Traces: webhancer
8:56 PM: Warning: Timed out waiting for explorer.exe
8:56 PM: Warning: Timed out waiting for explorer.exe
8:56 PM: Warning: Timed out waiting for explorer.exe
8:56 PM: Warning: Quarantine process could not restart Explorer.
8:57 PM: Preparing to restart your computer. Please wait...
8:57 PM: Removal process completed. Elapsed time 00:02:04
9:01 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
9:01 PM: IE Tracking Cookies Shield: Removed addynamix cookie
9:01 PM: IE Tracking Cookies Shield: Removed falkag cookie
9:01 PM: IE Tracking Cookies Shield: Removed bluestreak cookie
9:01 PM: IE Tracking Cookies Shield: Removed exitexchange cookie
9:01 PM: IE Tracking Cookies Shield: Removed hbmediapro cookie
9:01 PM: IE Tracking Cookies Shield: Removed screensavers.com cookie
9:01 PM: IE Tracking Cookies Shield: Removed starware.com cookie
9:01 PM: IE Tracking Cookies Shield: Removed screensavers.com cookie
********
6:30 PM: | Start of Session, Monday, February 20, 2006 |
6:30 PM: Spy Sweeper started
6:30 PM: Sweep initiated using definitions version 617
6:30 PM: Starting Memory Sweep
6:31 PM: Found Trojan Horse: trojan-downloader-ruin
6:31 PM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
6:33 PM: Found Adware: enbrowser
6:33 PM: Detected running threat: C:\WINDOWS\SYSC00.exe (ID = 244277)
6:33 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || TheMonitor (ID = 0)
6:33 PM: Detected running threat: C:\Program Files\Internet Explorer\iexplore.exe (ID = 81)
6:34 PM: Memory Sweep Complete, Elapsed Time: 00:03:26
6:34 PM: Starting Registry Sweep
6:34 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (1 subtraces) (ID = 605128)
6:34 PM: Found Adware: visfx
6:34 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (1 subtraces) (ID = 712951)
6:34 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
6:34 PM: Found Adware: command
6:34 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
6:34 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
6:34 PM: HKLM\software\microsoft\windows\currentversion\run\ || themonitor (ID = 1028873)
6:34 PM: Found Adware: quicklink search toolbar
6:34 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (5 subtraces) (ID = 1134093)
6:34 PM: Found Adware: dollarrevenue
6:34 PM: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
6:34 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (5 subtraces) (ID = 1134251)
6:34 PM: HKU\S-1-5-21-796845957-764733703-682003330-1006\software\system\sysuid\ (1 subtraces) (ID = 731748)
6:34 PM: Registry Sweep Complete, Elapsed Time:00:00:22
6:34 PM: Starting Cookie Sweep
6:34 PM: Found Spy Cookie: 80503492 cookie
6:34 PM: dan@80503492[2].txt (ID = 2013)
6:34 PM: Found Spy Cookie: yieldmanager cookie
6:34 PM: dan@ad.yieldmanager[1].txt (ID = 3751)
6:34 PM: dan@ad.yieldmanager[2].txt (ID = 3751)
6:34 PM: Found Spy Cookie: pointroll cookie
6:34 PM: dan@ads.pointroll[2].txt (ID = 3148)
6:34 PM: Found Spy Cookie: 2o7.net cookie
6:34 PM: dan@msnportal.112.2o7[1].txt (ID = 1958)
6:34 PM: Found Spy Cookie: server.iad.liveperson cookie
6:34 PM: dan@server.iad.liveperson[2].txt (ID = 3341)
6:34 PM: Found Spy Cookie: stopzilla cookie
6:34 PM: dan@www.stopzilla[1].txt (ID = 3466)
6:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
6:34 PM: Starting File Sweep
6:34 PM: Found Adware: surfsidekick
6:34 PM: c:\program files\common files\vcclient (5 subtraces) (ID = -2147461290)
6:35 PM: a0197596.exe (ID = 147)
6:35 PM: a0208380.exe (ID = 147)
6:35 PM: a0209841.exe (ID = 147)
6:35 PM: a0209824.exe (ID = 246)
6:35 PM: a0208132.exe (ID = 147)
6:35 PM: a0209829.exe (ID = 147)
6:35 PM: a0208283.exe (ID = 246)
6:36 PM: a0208373.exe (ID = 246)
6:36 PM: Found Trojan Horse: trojan-downloader-adaware.cc
6:36 PM: a0145924.exe (ID = 216039)
6:36 PM: a0198687.exe (ID = 147)
6:37 PM: a0208106.exe (ID = 147)
6:37 PM: a0209423.exe (ID = 147)
6:37 PM: a0207982.exe (ID = 231443)
6:37 PM: a0208407.exe (ID = 246)
6:37 PM: a0209860.exe (ID = 147)
6:37 PM: a0208425.exe (ID = 147)
6:37 PM: a0196596.exe (ID = 147)
6:37 PM: a0208417.exe (ID = 246)
6:37 PM: a0209417.exe (ID = 246)
6:37 PM: a0209436.exe (ID = 147)
6:37 PM: a0209428.exe (ID = 246)
6:37 PM: a0209854.exe (ID = 147)
6:37 PM: a0209439.exe (ID = 246)
6:37 PM: a0209454.exe (ID = 246)
6:37 PM: a0209469.exe (ID = 246)
6:38 PM: a0209488.exe (ID = 246)
6:38 PM: a0208413.exe (ID = 147)
6:38 PM: a0209505.exe (ID = 246)
6:38 PM: a0209529.exe (ID = 246)
6:38 PM: a0208288.exe (ID = 147)
6:38 PM: a0206749.exe (ID = 147)
6:38 PM: a0209462.exe (ID = 147)
6:38 PM: a0209474.exe (ID = 147)
6:38 PM: a0209533.exe (ID = 246)
6:38 PM: a0209565.exe (ID = 246)
6:38 PM: a0209589.exe (ID = 246)
6:38 PM: a0209617.exe (ID = 246)
6:39 PM: a0208209.exe (ID = 244278)
6:39 PM: a0209800.exe (ID = 246)
6:39 PM: a0209836.exe (ID = 246)
6:39 PM: a0209813.exe (ID = 246)
6:39 PM: dmgas.exe (ID = 147)
6:39 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || dmgas.exe (ID = 0)
6:40 PM: a0209880.exe (ID = 147)
6:40 PM: a0209888.exe (ID = 147)
6:40 PM: a0209849.exe (ID = 246)
6:40 PM: csbhz.exe (ID = 246)
6:40 PM: a0197632.exe (ID = 147)
6:40 PM: a0199686.exe (ID = 147)
6:40 PM: uninstall_nmon.vbs (ID = 231442)
6:40 PM: Found Adware: maxifiles
6:40 PM: a0200730.exe (ID = 185254)
6:40 PM: a0206753.exe (ID = 147)
6:41 PM: a0207787.exe (ID = 147)
6:41 PM: a0206771.exe (ID = 147)
6:41 PM: a0157427.exe (ID = 216039)
6:41 PM: a0201738.exe (ID = 147)
6:41 PM: a0205744.exe (ID = 147)
6:41 PM: a0207827.exe (ID = 147)
6:42 PM: a0209510.exe (ID = 147)
6:42 PM: a0209447.exe (ID = 147)
6:42 PM: a0209538.exe (ID = 147)
6:43 PM: a0197661.exe (ID = 147)
6:43 PM: a0209493.exe (ID = 147)
6:43 PM: a0209570.exe (ID = 147)
6:43 PM: a0209594.exe (ID = 147)
6:43 PM: pf78.exe (ID = 244430)
6:43 PM: a0209622.exe (ID = 147)
6:43 PM: a0209818.exe (ID = 147)
6:43 PM: a0198663.exe (ID = 147)
6:44 PM: a0146376.exe (ID = 216039)
6:44 PM: a0199733.exe (ID = 147)
6:44 PM: a0209624.exe (ID = 147)
6:46 PM: a0199734.exe (ID = 185254)
6:46 PM: a0200731.exe (ID = 147)
6:46 PM: a0201735.exe (ID = 185254)
6:46 PM: a0208018.exe (ID = 185254)
6:48 PM: a0146097.exe (ID = 216039)
6:48 PM: a0145580.exe (ID = 216039)
6:56 PM: a0207967.exe (ID = 244295)
6:59 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
6:59 PM: a0209805.exe (ID = 147)
6:59 PM: Found Adware: idesk
6:59 PM: dc10.sys (ID = 205674)
7:00 PM: a0208350.exe (ID = 246)
7:00 PM: a0208252.exe (ID = 246)
7:01 PM: a0196582.exe (ID = 147)
7:01 PM: a0208259.exe (ID = 147)
7:01 PM: a0208358.exe (ID = 147)
7:01 PM: a0208093.exe (ID = 147)
7:01 PM: sysc00.exe (ID = 244277)
7:01 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || TheMonitor (ID = 0)
7:01 PM: a0209527.exe (ID = 244278)
7:01 PM: dc9.exe (ID = 232868)
7:01 PM: a0197621.exe (ID = 147)
7:02 PM: a0196570.exe (ID = 147)
7:03 PM: vcupdate.exe.config (ID = 212361)
7:08 PM: a0208045.exe (ID = 147)
7:16 PM: a0208005.exe (ID = 244271)
7:16 PM: uni_eh.exe (ID = 245110)
7:16 PM: unin101.exe (ID = 245111)
7:19 PM: a0200772.cfg (ID = 208796)
7:23 PM: Warning: Failed to open file "c:\documents and settings\dan\local settings\temporary internet files\content.ie5\c1czy7yj\x-click-but21[1].gif". The system cannot find the file specified
7:23 PM: Warning: Failed to open file "c:\documents and settings\dan\local settings\temporary internet files\content.ie5\c1czy7yj\caox69zk.gif". The system cannot find the file specified
7:23 PM: Found Adware: tibs dialer
7:23 PM: xxx.lnk (ID = 79520)
7:23 PM: Found Trojan Horse: trojan-downloader-perlink.biz
7:23 PM: a0145576.exe (ID = 212699)
7:23 PM: a0145922.exe (ID = 212699)
7:23 PM: a0146095.exe (ID = 212699)
7:23 PM: a0146374.exe (ID = 212699)
7:23 PM: dc5.exe (ID = 212699)
7:23 PM: Found Adware: webhancer
7:23 PM: a0200749.ini (ID = 188794)
7:23 PM: vcclient.exe.config (ID = 212358)
7:23 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
Access is denied
7:25 PM: Warning: Unhandled Archive Type
7:39 PM: Warning: Invalid Stream
7:41 PM: File Sweep Complete, Elapsed Time: 01:06:51
7:41 PM: Full Sweep has completed. Elapsed time 01:10:45
7:41 PM: Traces Found: 164
********
6:27 PM: | Start of Session, Monday, February 20, 2006 |
6:27 PM: Spy Sweeper started
6:29 PM: Your spyware definitions have been updated.
6:30 PM: | End of Session, Monday, February 20, 2006 |
**********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 9:09:44 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sys0298215863-9.exe
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\My Documents\My Videos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Dan\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [sys0298215863-9] C:\WINDOWS\sys0298215863-9.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officeint.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103343161750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131619747359
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-01AA0055595A} - http://truesuite.com/truewatch/TrueWatchInstall.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 21 February 2006 - 11:41 AM

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tracert.com
=================

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [sys0298215863-9] C:\WINDOWS\sys0298215863-9.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\sys0298215863-9.exe
C:\WINDOWS\System32\winlog.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 21 February 2006 - 08:04 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:03:03 PM, on 2/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dan\My Documents\My Videos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Dan\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Dan\My Documents\My Videos\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officeint.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103343161750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131619747359
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-01AA0055595A} - http://truesuite.com/truewatch/TrueWatchInstall.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 21 February 2006 - 08:06 PM

i can now open a cmd prompt window & access the regedit screen :thumbsup: i am still unable to system restore and my media player from windows will not work right

Edited by fatewitch, 21 February 2006 - 08:19 PM.


#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 21 February 2006 - 08:37 PM

You do not want to do a restore at this point

uninstall media player and re-install

Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 21 February 2006 - 09:28 PM

the media player works now thank you so much i really appreciate this and i turned off the system restore and rebooted then turned it back on ...what do i do next ?

#11 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 21 February 2006 - 10:07 PM

Unless you still have a prob - nothing

Get all of these and/or verify you have the current versions

SpywareBlaster 3.5.1 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS Windows Defender - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Check for updates and run weekly
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#12 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 23 February 2006 - 05:09 PM

thanks what about the system restore will that eventually be usable again? >

#13 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 23 February 2006 - 08:00 PM

i dont know what happened but once again i am unable to open cmd prompt or regedit and i cant open task manager either

#14 fatewitch

fatewitch
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 23 February 2006 - 08:04 PM

this the most recent HJT

Logfile of HijackThis v1.99.1
Scan saved at 8:01:46 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\csrrs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\My Documents\My Videos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Dan\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officeint.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103343161750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131619747359
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-01AA0055595A} - http://truesuite.com/truewatch/TrueWatchInstall.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#15 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 23 February 2006 - 08:23 PM

Fix this

O4 - Global Startup: svchost.exe

You may have to go to

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and delete that entry

Run http://www.kaspersky.com/virusscanner - Online scan

When the scan is finished Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users