Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Member & Log Help Needed


  • This topic is locked This topic is locked
12 replies to this topic

#1 Lweber

Lweber

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 14 May 2006 - 09:47 AM

Hi. I just found your site in my ongoing battle to retake MY computer. Great site! So much good scoop on your site! I've been battling with lots of ugly things in my computer lately. I normally run Norton's, but it must have been sleeping on the job... Over the past couple of weeks, I've run every anti-spyware, adware, virus checker I could get my hands on. These include Adaware, Spybot, Spy Subtract, Xoftspy, and ErrorKiller. These found lots of spyware and adware and were able to remove most, I think. Been struggling to get rid of surfsidekick for a while now. At least now, I am able to get on the internet sites that I want and not what the hijackers want. So, i am making progress!

I have been tempted to do a total system recovery and start all over. But thought I'd try to clean it up first. Some things I'm considering is to switch to McAfee and Mozilla browser. Might this help me in the future? Here's my HiJackThis log. Please, can someone take a look and see it they spot any nasties lurking in it? Your opinions would be greatly appreciated. Thanks, lynn.

Logfile of HijackThis v1.99.1
Scan saved at 9:21:57 AM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\windows\system32\psdsrego.exe
C:\WINDOWS\system32\owintqaf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\csrrs.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oelir.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,yyslcsn.exe
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{80-06-63-3F-ZN}] C:\windows\system32\psdsrego.exe CORN004
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owintqaf.exe CORN004
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owintqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10559391-6D2D-4E2F-AF0F-866DA746C10A}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{10559391-6D2D-4E2F-AF0F-866DA746C10A}: NameServer = 64.136.20.121 64.136.28.121
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\f4j20e1oeh.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 14 May 2006 - 04:13 PM

Hello,

Go to start > controlpanel > software > add/remove programs and uninstall next programs if present:

Zenosearch
SpywareBot
Errorkiller


Reboot afterwards.

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing really happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Lweber

Lweber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 16 May 2006 - 09:17 PM

Miekiemoes - You must be a guru genius. I'm seeing evidence that things are greatly improved. Some poor uglies on my machine can't find themselves! As you requested, here's my autorun log after I ran BF and Qoofix. What now? PS - I didn't remove Errorkiller and SpywareBot as those are programs I purchased in my deperation. Do you still feel like I need to delete them?

[font=Arial Narrow]HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ _SetRes Cloaker (Not verified) Hewlett-Packard Co. c:\hp\bin\cloaker.exe

+ ATIPTA ATI Desktop Control Panel (Not verified) ATI Technologies, Inc. c:\program files\ati technologies\ati control panel\atiptaxx.exe

+ CleanUp McAfee Application Installer (Not verified) McAfee, Inc c:\program files\mcafee.com\shared\mcappins.exe

+ errorkiller Registry Cleaner c:\program files\errorkiller\errorkiller.exe

+ HPBootOp HP Boot Optimizer (Not verified) Hewlett-Packard Company c:\program files\hewlett-packard\hp boot optimizer\hpbootop.exe

+ IcoSet Cloaker (Not verified) Hewlett-Packard Co. c:\hp\bin\cloaker.exe

+ iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe

+ LSBWatcher LightScribe Burn Watcher (Not verified) Hewlett-Packard Company c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

+ MCAgentExe McAfee SecurityCenter Agent (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mcagent.exe

+ MCAgentExe McAfee SecurityCenter Agent (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mcagent.exe

+ McRegWiz McRegWiz Module c:\program files\mcafee.com\agent\mcregwiz.exe

+ MCUpdateExe McAfee SecurityCenter Update Engine (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mcupdate.exe

+ MCUpdateExe McAfee SecurityCenter Update Engine (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mcupdate.exe

+ OASClnt McAfee VirusScan OAS Client (Not verified) McAfee, Inc. c:\program files\mcafee.com\vso\oasclnt.exe

+ QuickTime Task QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe

+ regcmdcons Cloaker (Not verified) Hewlett-Packard Co. c:\hp\bin\cloaker.exe

+ SpywareBot Advanced Spyware Cleaner (Not verified) SpywareBot Company c:\program files\spywarebot\spywarebot.exe

+ TkBellExe RealNetworks Scheduler (Not verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe

+ VirusScan Online McAfee VirusScan ActiveShield Resource (Not verified) McAfee, Inc. c:\program files\mcafee.com\vso\mcvsshld.exe

+ VSOCheckTask McAfee VirusScan Command Handler (Not verified) McAfee, Inc. c:\program files\mcafee.com\vso\mcmnhdlr.exe

+ {80-06-63-3F-ZN} File not found: C:\windows\system32\pkdsregn.exe CORN004

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ HP Digital Imaging Monitor.lnk HP Digital Imaging Monitor (Not verified) Hewlett-Packard Co. c:\program files\hp\digital imaging\bin\hpqtra08.exe

+ Logitech SetPoint.lnk Logitech SetPoint (Not verified) Logitech Inc. c:\program files\logitech\setpoint\kem.exe

+ SpySubtract.lnk SpySubtract Launcher (Not verified) InterMute, Inc. c:\program files\intermute\spysubtract\sslaunch.exe

+ svchost.exe c:\documents and settings\all users\start menu\programs\startup\autorunsdisabled\svchost.exe

+ Updates from HP.lnk (Not verified) Hewlett-Packard c:\program files\updates from hp\309731\program\updates from hp.exe

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup

+ Z_Start.lnk File not found: C:\WINDOWS\system32\dwdsregt.exe

+ Zeno.lnk File not found: C:\WINDOWS\system32\lwinlqaf.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Classes\Protocols\Filter

+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll

+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll

+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll

HKLM\SOFTWARE\Classes\Protocols\Handler

+ cdo Microsoft SharePoint Portal Server Object Model (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\web folders\pkmcdo.dll

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL Extension File not found: deskpan.dll

+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll

+ InprocServer32 File not found: CLSID\{70860DC8-070D-40CD-9737-EF186BC4A12F}\InprocServer32

+ InprocServer32 File not found: CLSID\{938C05DF-E18B-4C52-95D1-A182511E3EB8}\InprocServer32

+ InprocServer32 File not found: CLSID\{E9D344C1-9DB5-4394-921C-2478D5DFA6BC}\InprocServer32

+ iTunes iTunes Mini Player DLL (Not verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll

+ SampleView ShellvRTF (Not verified) XSS c:\windows\system32\shellvrtf.dll

+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Not verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ Popup-Blocker Class NetZero HiSpeed (Verified) NetZero Inc c:\program files\netzero\qsacc\x1iebho.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ googletoolbar2.dll Google IE Client Toolbar (Not verified) Google Inc. c:\program files\google\googletoolbar2.dll

+ hpdtlk02.dll hp view toolbar (Not verified) Hewlett-Packard Company c:\program files\hp\digital imaging\bin\hpdtlk02.dll

+ McAfee VirusScan McAfee VirusScan Shell Extension Module (Not verified) McAfee, Inc. c:\program files\mcafee.com\vso\mcvsshl.dll

+ toolbar.dll Toolbar Module (Verified) NetZero Inc c:\program files\netzero\toolbar.dll

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Extensions

+ Connection Help c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ Connection Help c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

Task Scheduler

+ Easy Internet Sign-up.job HP SDP Application Module (Not verified) Hewlett-Packard c:\program files\easy internet signup\hpsdpapp.exe

+ Norton AntiVirus - Scan my computer - HP_Administrator.job Norton AntiVirus Scanner Module (Verified) Symantec Corporation c:\program files\norton antivirus\navw32.exe

+ Symantec NetDetect.job Symantec NetDetect (Verified) Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe

+ XoftSpySE.job Xoftspy (Not verified) ParetoLogic c:\program files\xoftspyse\xoftspy.exe

HKLM\System\CurrentControlSet\Services

+ LightScribeService Used by the LightScribe software components to support 3rd party disc labeling applications using the LightScribe COM Application Programming Interface (LSCAPI). This service needs to run for LightScribe direct disc labeling to work. c:\program files\common files\lightscribe\lssrvc.exe

+ McDetect.exe McAfee WSC Integration Service (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mcdetect.exe

+ McShield On-Access Scanner service (Not verified) McAfee Inc. c:\program files\mcafee.com\vso\mcshield.exe

+ McTskshd.exe McAfee Task Scheduler (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mctskshd.exe

+ mcupdmgr.exe McAfee SecurityCenter Update Manager (Not verified) McAfee, Inc c:\program files\mcafee.com\agent\mcupdmgr.exe

+ Pml Driver HPZ12 PML Driver (Not verified) HP c:\windows\system32\hpzipm12.exe

+ SymWSC Symantec WMI Service (Verified) Symantec Corporation c:\program files\common files\symantec shared\security center\symwsc.exe

HKLM\System\CurrentControlSet\Services

+ CO_Mon c:\windows\system32\drivers\co_mon.sys

+ GEARAspiWDM CDRom Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys

+ PcdrNdisuio PCDRNDISUIO Usermode I/O Protocol (Not verified) Windows ® 2000 DDK provider c:\windows\system32\drivers\pcdrndisuio.sys

+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Not verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys

+ SYMIDSCO IDS Core Driver (Verified) Symantec Corporation c:\program files\common files\symantec shared\symcdata\ids-diskless\20051208.051\symidsco.sys

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM\Software\Microsoft\Command Processor\Autorun

HKCU\Software\Microsoft\Command Processor\Autorun

HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ OemStartMenuData File not found: C:\WINDOWS\system32\f4j20e1oeh.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

HKCU\Control Panel\Desktop\Scrnsave.exe

HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImageName

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 17 May 2006 - 03:11 AM

Hi,

Not sure what log you posted here, but that isn't a hijackthislog.
Also, please use the normal font and filesize, because I can't read what it says in above.

I am very sorry to hear you bought spywarebot and errorkiler, because they are on the blacklist of these NOT to install. Also take a look in my signature where it says 'which scanners NOT to install'

So can you please post a new hijackthislog, using the normal font and filesize?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Lweber

Lweber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 19 May 2006 - 05:10 AM

Don't have a clue where I was on my last post. Here's the HiJackThis Log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 5:04:15 AM, on 5/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;*.prod.untd.com;<local>
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKLM\..\RunOnce: [mctskshd.exe] c:\PROGRA~1\mcafee.com\agent\mctskshd.exe -regserver
O4 - HKLM\..\RunOnce: [mcdetect.exe] c:\PROGRA~1\mcafee.com\agent\mcdetect.exe -regserver
O4 - HKLM\..\RunOnce: [mcvsshld.exe] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe -regserver
O4 - HKLM\..\RunOnce: [vsoupd.dll] rundll32.exe advpack.dll,RegisterOCX c:\PROGRA~1\mcafee.com\vso\vsoupd.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10559391-6D2D-4E2F-AF0F-866DA746C10A}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{10559391-6D2D-4E2F-AF0F-866DA746C10A}: NameServer = 64.136.20.121 64.136.28.121
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\f4j20e1oeh.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 19 May 2006 - 06:40 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll <== not required
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\f4j20e1oeh.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Update your Sun Java:

Updating Java via Controlpanel:
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    (If you can't find the Java Icon, click 'Other Control Panel Options' in the leftpane first)
  • Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 25 May 2006 - 05:47 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 26 May 2006 - 11:17 AM

Reopened at user request.

Please post the logs I asked in my previous reply. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Lweber

Lweber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 May 2006 - 01:39 PM

OK - I've deleted the HJT lines that you requested, although I did not find the crss.exe line this time. A copy of my Panda scan log and a new HJT log are below.

Here's Panda's log:

Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@10103[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adopt.hbmediapro[2].txt
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@aff506[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atwola[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@banners.searchingbooth[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@c.enhance[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cassava[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@did-it[2].txt
Spyware:Cookie/dw06 Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@dw06[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@i.screensavers[2].txt
Spyware:Cookie/Bettersearch Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@index[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@kmpads[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@offeroptimizer[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@Pinhead[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@searchportal.information[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@stats1.reliablestats[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@targetsaver[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@target[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@winfixer[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@wizzle[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@xiti[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/New.net Not disinfected C:\NNSCAA638.EXE
Spyware:Cookie/7search Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10000.qit
Spyware:Cookie/Adserver Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10008.qit
Spyware:Cookie/Adserver Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10009.qit
Spyware:Cookie/Advertising Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10013.qit
Spyware:Cookie/Advertising Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10014.qit
Spyware:Cookie/Advertising Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10015.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10016.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10017.qit
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10018.qit
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10019.qit
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10024.qit
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10025.qit
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10030.qit
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10031.qit
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10032.qit
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10036.qit
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10041.qit
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10043.qit
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10044.qit
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10045.qit
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10048.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10050.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10051.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10052.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10054.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10055.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10056.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10057.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10058.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10059.qit
Spyware:Cookie/FindtheWebsiteYouNeed Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10060.qit
Spyware:Cookie/Findwhat Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10061.qit
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10063.qit
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10064.qit
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10065.qit
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10066.qit
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10067.qit
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10068.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10069.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10070.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10071.qit
Spyware:Cookie/Overture Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10076.qit
Spyware:Cookie/Overture Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10077.qit
Spyware:Cookie/Overture Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10078.qit
Spyware:Cookie/Overture Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10079.qit
Spyware:Cookie/Overture Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10080.qit
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10082.qit
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10086.qit
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10087.qit
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10088.qit
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10089.qit
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10090.qit
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10091.qit
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10092.qit
Spyware:Cookie/WUpd Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10096.qit
Spyware:Cookie/WUpd Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10097.qit
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10100.qit
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10101.qit
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10102.qit
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10103.qit
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10104.qit
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10111.qit
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10112.qit
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10115.qit
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10116.qit
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10117.qit
Spyware:Cookie/Zedo Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10119.qit
Spyware:Cookie/Zedo Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10120.qit
Spyware:Cookie/Zedo Not disinfected C:\Program Files\SpywareBot\Quarantine\02-05-2006-21-33-37\10121.qit
Spyware:Cookie/Adserver Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10005.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10006.qit
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10007.qit
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10008.qit
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10010.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10011.qit
Spyware:Cookie/Falkag Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10012.qit
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10013.qit
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10014.qit
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10016.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10017.qit
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10019.qit
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10020.qit
Spyware:Cookie/WUpd Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10021.qit
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10022.qit
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10023.qit
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10024.qit
Spyware:Cookie/Zedo Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10025.qit
Spyware:Cookie/Zedo Not disinfected C:\Program Files\SpywareBot\Quarantine\14-05-2006-09-32-26\10026.qit
Virus:Trj/Downloader.ILI Disinfected C:\WINDOWS\system32\w0136c98.dll
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\WPRE.exe

and here's the new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:35 AM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I notice a lot of quarantined infections. How do i get rid of them? Many, many thanks to you! I really appreciate all your help. Lweber

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 26 May 2006 - 01:48 PM

Hi,

Your hijackthislog looks clean again. So I guess you decided to keep Spywarebot since you bought it?
It's on the blacklist here though: http://www.spywarewarrior.com/rogue_anti-s...re.htm#products
Which means the scanners not to install, because you can't trust them.
The only malware related things spywarebot found are some harmless cookies.
Anyway, it's ok for me if you want to keep it.

To get rid of the files in quarantaine, open your spywarebot, choose the option quarantaine and delete everything that is present there.

Also delete next files:

C:\NNSCAA638.EXE
C:\WINDOWS\WPRE.exe

Update your sun Java:
Updating/installing Java Runtime Environment Version 5.0 Update 7:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove.
  • Then Download and install the newest version from here: J2SE™ Runtime Environment 5.0 Update 7
Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Lweber

Lweber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 May 2006 - 03:11 PM

So I guess you decided to keep Spywarebot since you bought it?


No, I thought I did get rid of Spywarebot! Guess I've been doing so many things that one got swept in a crack. I'll do it next, but should I use it to get rid of the quarantined files first?

Please describe the Java icon I'm looking for in Cntrol Panel as it didn't come through in your prev post.

Also, do I need to worry any about infections that might be loading in the service/hosts files?

The PC is really running great right now. :thumbsup: Thanks to you and this site. :flowers:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 26 May 2006 - 03:23 PM

Hi, well, if you uninstall Spywarebot, and reboot afterwards, check if next folder is still present:

C:\Program Files\SpywareBot

If so, delete that folder. That should also delete the quarantainefolder present in it.

The javaicon looks like a coffeecup, blue coffeecup.
you need this url to update java:
http://www.java.com/en/download/manual.jsp

The previous one I gave is not the right one. :thumbsup:

Also, do I need to worry any about infections that might be loading in the service/hosts files


I can't see anything suspicious in your services. And infections don't load in hosts files, they can only add entries to websites in there, that's all.
So if you're worried about the hosts file - you can set it to default again, by performing next:
* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

And Glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 PM

Posted 27 May 2006 - 01:06 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users