Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Is Infected, Hijackthis Log


  • This topic is locked This topic is locked
29 replies to this topic

#1 davodevo

davodevo

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 17 July 2006 - 10:32 PM

Note: I couldn't say which kind of malware is infecting my system. I wish I knew myself. It might be winfixer but I'm not sure. I'd like some help with my hijackthis log so I don't remove the wrong stuff.



For the past month my computer has been infected with some type of malware. When I try to log onto my desktop I get several prompt messeages saying windows cannot find certain programs.

After I click off of these, usually my desktop restores but the programs freeze up often and run slow.


I tried to use both vundo programs but they didn't detect anything.


I was hoping an expect could help me with my hijackthis log.


Thanks.





It's these prompts that are coming up when I log onto my windows desktop but without the first part, the O4 - HKLM, runonce is not on there.


It just says windows cannot find C:\WINDOWS\System32\e8hy9t.exe (for example). Make sure you typed it correctly....and so on.....



O4 - HKLM\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O4 - HKLM\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKLM\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKLM\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKLM\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k

O4 - HKCU\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKCU\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKCU\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKCU\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k



Would these be causing my internet explorer and windows applications to be freezing and running slow or could there be more malware/winfixer that I'm not able to detect?




Logfile of HijackThis v1.99.1
Scan saved at 11:24:01 PM, on 7/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Dave Devereux\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jjhuddle.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Plook] C:\Program Files\PLook\Plook.exe
O4 - HKLM\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O4 - HKLM\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKLM\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKLM\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKLM\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\Program Files\Spyware Assassin 4.0\Spyware Assassin.exe"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKCU\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKCU\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKCU\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.media-motor.net
O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125885353124
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by davodevo, 18 July 2006 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:00 AM

Posted 19 July 2006 - 10:08 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run from a temp directory.
  • Download and run the HijackThis autoinstall program
  • Please choose the default location of C:\Program Files as the destination.
  • Run the program only from that location from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.
Once you have Hijackthis running from this folder, please reboot and post a new hijackthis log as a reply in this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 July 2006 - 11:27 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:25:16 PM, on 7/19/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jjhuddle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Plook] C:\Program Files\PLook\Plook.exe
O4 - HKLM\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O4 - HKLM\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKLM\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKLM\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKLM\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\Program Files\Spyware Assassin 4.0\Spyware Assassin.exe"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKCU\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKCU\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKCU\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.media-motor.net
O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125885353124
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:00 AM

Posted 19 July 2006 - 01:31 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O4 - HKLM\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKLM\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKLM\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKLM\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\RunOnce: [9846b6o.exe] C:\WINDOWS\System32\9846b6o.exe /k
O4 - HKCU\..\RunOnce: [i1pyel.exe] C:\WINDOWS\System32\i1pyel.exe /k
O4 - HKCU\..\RunOnce: [030zj.exe] C:\WINDOWS\System32\030zj.exe /k
O4 - HKCU\..\RunOnce: [dh0rajy.exe] C:\WINDOWS\System32\dh0rajy.exe /k
O4 - HKCU\..\RunOnce: [e8hy9t.exe] C:\WINDOWS\System32\e8hy9t.exe /k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.media-motor.net
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab



=================


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\System32\e8hy9t.exe
    C:\WINDOWS\System32\9846b6o.exe
    C:\WINDOWS\System32\i1pyel.exe
    C:\WINDOWS\System32\030zj.exe
    C:\WINDOWS\System32\dh0rajy.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==================


The main reason that your computer has become infected is because you are dangerously behind on Windows updates. There really is no way, short of disconnecting this computer entirely from the internet, to secure this computer until you update Windows. Please visit Windows Update and install all critical updates found for your computer. It will take quite some time as there have been many.

http://windowsupdate.microsoft.com/


Once you have done that, please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 July 2006 - 02:11 PM

"Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):"


I'm highlighting them and pressing copy. Then going to the file menu and clicking paste from clipboard but nothing is pasting. When I click the red x it just turns that box yellow and says you have not specified a file to delete.

#6 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 July 2006 - 02:30 PM

Okay. I figured that part out.



Here is my action history log.


It was still giving me the prompts when I opened my windows desktop.



New Log Created
Previous Saved as C:\!KillBox\Logs\kb.Jul-19-1505.log

Pocket Killbox version 2.0.0.648
Running on Windows XP as Dave Devereux(Administrator)
was started @ Wednesday, July 19, 2006, 3:05 PM

Killbox Closed(Exit) @ 3:05:36 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Dave Devereux(Administrator)
was started @ Wednesday, July 19, 2006, 3:05 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\e8hy9t.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\e8hy9t.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:18:40 PM
# 3 [Delete on Reboot]
Path = C:\WINDOWS\System32\9846b6o.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:19:57 PM
# 4 [Delete on Reboot]
Path = C:\WINDOWS\System32\i1pyel.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:20:35 PM
# 5 [Delete on Reboot]
Path = C:\WINDOWS\System32\030zj.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:21:03 PM
# 6 [Delete on Reboot]
Path = C:\WINDOWS\System32\dh0rajy.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:22:00 PM
Killbox Closed(Exit) @ 3:22:12 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Dave Devereux(Administrator)
was started @ Wednesday, July 19, 2006, 3:25 PM

#7 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 July 2006 - 04:39 PM

This is my new hijackthis log after running all the windows updates.




Logfile of HijackThis v1.99.1
Scan saved at 5:37:34 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jjhuddle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Plook] C:\Program Files\PLook\Plook.exe
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\Program Files\Spyware Assassin 4.0\Spyware Assassin.exe"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125885353124
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:00 AM

Posted 20 July 2006 - 11:30 AM

Open Killbox. Click Remove Item -> Remove PendingFileRenameOperations
Then use Killbox just as you did before to delete these files on reboot.

C:\WINDOWS\System32\e8hy9t.exe
C:\WINDOWS\System32\9846b6o.exe
C:\WINDOWS\System32\i1pyel.exe
C:\WINDOWS\System32\030zj.exe
C:\WINDOWS\System32\dh0rajy.exe



================


I see that you have Spysweeper installed. If this is the full version, please open Spysweeper, check for updates, and run a full scan. Save the resulting log and post it here in your next reply.


================


Now I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 20 July 2006 - 08:55 PM

I don't see a way to save or copy the scan results from spysweeper.

hijackthis log

Adobe Reader 6.0
AOL Uninstaller (Choose which Products to Remove)
Augusta National Screen Saver
Azureus
BCM V.92 56K Modem
ccCommon
Dell ResourceCD
DivX
DivX Player
DivX Web Player
EPSON Printer Software
Google Desktop Search
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
Internet Worm Protection
iTunes
J2SE Runtime Environment 5.0 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
MakeTorrent v2.1
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft XML Parser and SDK
MSRedist
Norton AntiVirus 2005
Norton AntiVirus Parent MSI
Norton SystemWorks
Norton SystemWorks 2005 (Symantec Corporation)
Norton Utilities
Norton WMI Update
Norton WMI Update
NSW_DRM_COLLECTION
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
QuickTime
RealPlayer
Rhapsody Player Engine
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SPBBC
Spy Sweeper
Symantec Script Blocking Installer
SymNet
TaxCut 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Savings from Ebates
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! extras

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:00 AM

Posted 21 July 2006 - 02:56 PM

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Savings from Ebates



=============


Open up Spysweeper
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 21 July 2006 - 08:01 PM

8:56 PM: Removal process completed. Elapsed time 00:00:32
8:56 PM: Quarantining All Traces: trafficmp cookie
8:56 PM: Quarantining All Traces: tacoda cookie
8:56 PM: Quarantining All Traces: onestat.com cookie
8:56 PM: Quarantining All Traces: serving-sys cookie
8:56 PM: Quarantining All Traces: realmedia cookie
8:56 PM: Quarantining All Traces: questionmarket cookie
8:56 PM: Quarantining All Traces: maxserving cookie
8:56 PM: Quarantining All Traces: fastclick cookie
8:56 PM: Quarantining All Traces: ru4 cookie
8:56 PM: Quarantining All Traces: overture cookie
8:56 PM: Quarantining All Traces: casalemedia cookie
8:56 PM: Quarantining All Traces: pointroll cookie
8:56 PM: Quarantining All Traces: adrevolver cookie
8:56 PM: Quarantining All Traces: specificclick.com cookie
8:56 PM: Quarantining All Traces: yieldmanager cookie
8:56 PM: Quarantining All Traces: tribalfusion cookie
8:56 PM: Quarantining All Traces: 2o7.net cookie
8:56 PM: Quarantining All Traces: websearch toolbar
8:56 PM: Removal process initiated
8:35 PM: Traces Found: 22
8:35 PM: Full Sweep has completed. Elapsed time 00:26:57
8:35 PM: File Sweep Complete, Elapsed Time: 00:22:36
8:33 PM: C:\Documents and Settings\Guest 3\Local Settings\Temp\temp.cab (ID = 86669)
8:33 PM: Found Adware: websearch toolbar
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\h40jp1ch\settings[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\yahoo[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\frd3zx8s\a=3287[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\4tq7klef\watch[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\mlb;arena=mlb;feat=players;type=psa;team=pit;playr=392528;user=anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\mlb;arena=mlb;feat=players;type=psa;team=pit;playr=392528;user=anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\mlb;arena=mlb;feat=gamecenter;type=bia;!category=richm;type=psa;team=pit;team=hou;user=anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=ye[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\homead;arena=home;arena=home2;arena=home3;type=ros;user=anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;!category=a_sky;cust=no[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\gallery[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\gallery;_ylt=aghy45dxhxtoxnqltr83b83rv7yf[3].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\gallery;_ylt=aghy45dxhxtoxnqltr83b83rv7yf[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\oxazw5qb\gallery;_ylt=aghy45dxhxtoxnqltr83b83rv7yf[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\c1mj05aj\images[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\ubonylyh\singlesnet[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k9kjm7k7\hotmail[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k9kjm7k7\hotmail[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\search[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k9kjm7k7\search[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\wjfnesxl\round4[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o90pivc5\nhl[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\frd3zx8s\singlesnet[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\photos[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\nhl[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\images[4].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\images[3].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\images[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\images[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\2ju3e9ur\1[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\vzhvz90w\yahoo[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\104-7340948-9483105[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\sports.yahoo[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\440028357lgtqsq[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\440028357lgtqsq[3].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o90pivc5\images[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o90pivc5\images[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\440028357lgtqsq[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o90pivc5\search[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\getmsg[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\frd3zx8s\context[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\vzhvz90w\24_%28season_5%29[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\4lm3s1i7\gallery[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\4lm3s1i7\boxscore[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\3[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k5i7gla7\search[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\99tb1pst\search[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\99tb1pst\search[2].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\99tb1pst\448890129mywfxn[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k9kjm7k7\search[1].". The operation completed successfully
8:32 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\c1mj05aj\misspookies[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\ermvuter\search[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\wjfnesxl\1434878485077236816iliakp[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\search[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\rltaylor84[2].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\rltaylor84[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k5i7gla7\yahoo[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\45evwdyj\scoreboard;_ylt=aqzio5ma_yultgrkaxgwpq1dubyf[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\c1mj05aj\yahoo[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\frd3zx8s\flirtyone84[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\g52bcl6r\search[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\whq3sher\photos[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o90pivc5\yahoo[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\ermvuter\mlb;_ylt=aoyhp54emyzjuihvjpzfzlbdubyf[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\whq3sher\polldatajs[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\y9opuhst\nhl[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\4tq7klef\tr33033[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\4[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\y9opuhst\standings[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\ermvuter\yahoo[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\nas[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\wlo7at4x\nor[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\mxj0p436\3[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\frd3zx8s\bycategory[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\246964223csynjf[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\slarstyr\relocate=;ord=1620626927[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\99tb1pst\polldatajs[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\4fmh45op\tinyevilme[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\sxif01e3\fullcredits[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\8pw9qv83\yahoo[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\ermvuter\tt0088763[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\4tq7klef\yahoo[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\ubonylyh\search[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\m850hyye\scoreboard[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\2ju3e9ur\_;ord=1145668994344508[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\kvrvqcdh\boxscore;_ylt=aqv6jqlt970pxiwdn_u_5ls5nycb[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o9u74tq7\1[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\whq3sher\standings;_ylt=aoymrvjfhbzg2x3zdhxypehdubyf[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\q7kbhmjq\160x600s[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\i3u3arah\ca2n492v.gif". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\qx0ty18t\stat[5].gif". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\i3u3arah\stat[2].gif". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\o90pivc5\nfl[1].". The operation completed successfully
8:31 PM: Warning: Failed to open file "c:\documents and settings\dave devereux\local settings\temporary internet files\content.ie5\k5i7gla7\hotmail[1].". The operation completed successfully
8:12 PM: Starting File Sweep
8:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@tribalfusion[2].txt (ID = 3589)
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@trafficmp[1].txt (ID = 3581)
8:12 PM: Found Spy Cookie: trafficmp cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@tacoda[1].txt (ID = 6444)
8:12 PM: Found Spy Cookie: tacoda cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@stat.onestat[2].txt (ID = 3098)
8:12 PM: Found Spy Cookie: onestat.com cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@serving-sys[2].txt (ID = 3343)
8:12 PM: Found Spy Cookie: serving-sys cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@realmedia[1].txt (ID = 3235)
8:12 PM: Found Spy Cookie: realmedia cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@questionmarket[2].txt (ID = 3217)
8:12 PM: Found Spy Cookie: questionmarket cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@perf.overture[1].txt (ID = 3106)
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@msnportal.112.2o7[1].txt (ID = 1958)
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@maxserving[2].txt (ID = 2966)
8:12 PM: Found Spy Cookie: maxserving cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@fastclick[2].txt (ID = 2651)
8:12 PM: Found Spy Cookie: fastclick cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@edge.ru4[2].txt (ID = 3269)
8:12 PM: Found Spy Cookie: ru4 cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@data4.perf.overture[1].txt (ID = 3106)
8:12 PM: Found Spy Cookie: overture cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@casalemedia[2].txt (ID = 2354)
8:12 PM: Found Spy Cookie: casalemedia cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@ads.pointroll[2].txt (ID = 3148)
8:12 PM: Found Spy Cookie: pointroll cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@adrevolver[2].txt (ID = 2088)
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@adrevolver[1].txt (ID = 2088)
8:12 PM: Found Spy Cookie: adrevolver cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@adopt.specificclick[2].txt (ID = 3400)
8:12 PM: Found Spy Cookie: specificclick.com cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@ad.yieldmanager[1].txt (ID = 3751)
8:12 PM: Found Spy Cookie: yieldmanager cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@a.tribalfusion[1].txt (ID = 3590)
8:12 PM: Found Spy Cookie: tribalfusion cookie
8:12 PM: c:\documents and settings\dave devereux\cookies\dave devereux@2o7[2].txt (ID = 1957)
8:12 PM: Found Spy Cookie: 2o7.net cookie
8:12 PM: Starting Cookie Sweep
8:12 PM: Registry Sweep Complete, Elapsed Time:00:00:39
8:11 PM: Starting Registry Sweep
8:11 PM: Memory Sweep Complete, Elapsed Time: 00:03:17
8:08 PM: Starting Memory Sweep
8:08 PM: Sweep initiated using definitions version 718
8:08 PM: Spy Sweeper 5.0.5.1286 started

#12 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 21 July 2006 - 08:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:02:27 PM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jjhuddle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\Program Files\Spyware Assassin 4.0\Spyware Assassin.exe"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125885353124
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:00 AM

Posted 21 July 2006 - 08:15 PM

Your log looks pretty good, but there are a few things that we should take care of.

Everything that Spysweeper showed is either a temp file or a cookie. Those are easy to remove.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


=============


I see signs of a program called Spyware Assassin. This is a rogue program and should not be used. More info can be found here.
http://www.spywarewarrior.com/rogue_anti-spyware.htm

I also see signs of Mcafee still in your log, but it appears that you are using Norton as your antivirus.


Please fix these lines with Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\Program Files\Spyware Assassin 4.0\Spyware Assassin.exe"
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe



Then delete these folders.

C:\Program Files\Network Associates
C:\Program Files\Spyware Assassin 4.0



Reboot and post a new hijackthis log.
Let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 davodevo

davodevo
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 23 July 2006 - 03:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:03:46 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jjhuddle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125885353124
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:00 AM

Posted 23 July 2006 - 03:33 PM

I still see signs of Mcafee. Did you try to delete C:\Program Files\Network Associates ?

How is your computer running now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users