Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 Hijackers And A Start Up Error Message


  • This topic is locked This topic is locked
18 replies to this topic

#1 GetSome

GetSome

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 31 July 2006 - 05:52 AM

Hi,

I recently downloaded a fake installer and it unleashed spyware into my computer. I got rid of most of the problems using spyware doctor, spybot S&D, and AdAware. But 2 of the problems kept resurfacing even after I use those progams I stated above to get rid them.

Here is the detection info from my Spyware Doctor:

Name: Link Maker

Type: Hijacker

Threat Level: elevated

Description: Linkmaker will replace keywords on webpages viewed with links to external advertising pages.

Name MrFindALot

Type: Hijacker

Threat Level: High

Description: MrFindALot runs in the background and hijacks internet explorer search pages to www.mrfindalot.com/search.asp.

Here is a my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:13 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TEMP.D89G8B31.001\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deanza.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.deviantart.com/view/7789285/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [unh1d6f6] RUNDLL32.EXE w03a0ce6.dll,n 0021d6f40000000303a0ce6
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917837171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917826953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


Also everytime I turn on my computer right when windows loads up I get a "RUNDLL" error message that says "Error loading w03a0ce6.dll... The specified module cannot be found" I would very much like to get rid of that start up error message.

One more small problem is my McAfee Security center online virus scanner does not work anymore it starts up in the system tray by the clock whenever windows starts and I get this message saying it does not work everytime I start up my computer. The uninstaller does not work and i have no use for the McAfee shield or any McAfee progams anyway, so is there a way I can uninstall McAfee or a way to make sure that it does not start up when windows starts? It is quite outdated and useless now because it came with my PC as a 1 year subscription in the summer of 03.

Thanks much in advanced to whoever helps me! :thumbsup:

Edited by GetSome, 31 July 2006 - 05:59 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 31 July 2006 - 10:46 AM

Hello there GetSome, welcome to Bleeping Computer.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

One more small problem is my McAfee Security center...

I want to leave this problem until the end, when we have removed all the malware from your system first. If mcafee is not working at the moment it is very important you install another antivirus - you probably got infected as you were not protected. You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

Also everytime I turn on my computer right when windows loads up I get a "RUNDLL" error message

This error should stop after following the instructions below.

Next, please download Ewido Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.
  • Locate the icon on your desktop and double click it to open the set-up program.
  • Follow the instructions on screen to install Ewido.
  • Run the program and you will meet the main screen.
  • Select the icon "Update" then select the "Update now" link
  • Next click the "Start Update" button; a progress bar will show the updates being installed.
  • Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Click on "Recommended actions" and then select "Quarantine".
  • Close the program now, we will be running a scan a bit later.
  • You can go ahead and delete the old setup file from your desktop.
Please open the Hijackthis program.
Click on the "Do a system scan only".
Place a tick next to the following entries.
Do not be concerned if you cannot find them in the list:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [unh1d6f6] RUNDLL32.EXE w03a0ce6.dll,n 0021d6f40000000303a0ce6
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll


Make sure your Internet Explorer is closed.
Click on the "Fix Checked" button and exit HijackThis when finished.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\xeymi.dll
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\w03a0ce6.dll

Launch Ewido by double clicking on the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab.
  • Then click on the "Complete System Scan" button.
  • If you have any infections you will be asked for an action - select "apply all actions".
  • Now select the "Reports" icon at the top.
  • Click "Save Report As" and save the text file to your desktop.
  • Close Ewido and reboot back into normal mode.
Please post the results of the Ewido scan in this thread.
David

#3 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 31 July 2006 - 06:41 PM

OK I actually ran ewido anti-spyware in normal mode instead of safe mode and only realized my mistake after going over your instructions. 10 files were quarantined while I ran ewido anti-spyware in normal mode.

C:\WINDOWS\system32\ghynf.exe
C:\RECYCLER\S-1-5-21-2296624935-3589512056-985476935-1007\Dc12.exe
C:\Program Files\Common Files\Real\WeatherBug\MiniBugtransporter.dll
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\SYSTEM32\n9nyb.exe
C:\WINDOWS\SYSTEM32\iqqr.exe
C:\Documents and Settings\TEMP.D89G8B31.001\Desktop\hijackthis\backups\backup-20060731-140056-875.dll
C:\fym9bvo.exe
C:\dist13.exe
C:\626_101newer.exe

I ran ewido again but this time in Safe mode with no networking and no threats were found.

The error message w03a0ce6.dll no longer shows up when I start windows.

I am running out of disk space because my cheat dell dimension 4600 only has a 40 gigabyte hard disk and I only have 2 gigabytes of unused space left, probably not even enough for system restore and defragmenter. So would it be safe if I remove the quarantined files permanantly? Thank you for helping me I greatly value and appreciate any help you give me.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 01 August 2006 - 03:37 AM

Hey GetSome,

OK I actually ran ewido anti-spyware in normal mode instead of safe mode and only realized my mistake after going over your instructions. 10 files were quarantined while I ran ewido anti-spyware in normal mode.

That's fine, it doesn't really matter.
It's good that you checked again in safe mode - no threats shows that ewido was able to delete the threats in normal mode.

I am running out of disk space because my cheat dell dimension 4600 only has a 40 gigabyte hard disk and I only have 2 gigabytes of unused space left, probably not even enough for system restore and defragmenter. So would it be safe if I remove the quarantined files permanantly?

That really isn't a very good idea at all. You have to delete some files off that computer in my opinon. XP will find it very hard to run on suck limited resources and you will notice your computer start to lack in performance. You can go ahead and delete the ewido quaruntine files, in fact you can delete the entire program as we don't need it any more and it is a 30-day trial, that should free up some space. You might like to try and clear clutter off your computer, and free up some space on your harddrive.
Old games, unwanted photos and unused programs could be a starting point.
You can also clear clutter such as temprary files by doing the following:
Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.
You definatley should look through your add/remove list and delete some old programs/games that you don't use any more. Do you have loads of digital photos which you could save to disk?

Well I now want to see a new Hijackthis log. In addition I want another scan from you.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

I haven't forgotten about the Mcafee problem at all,
but I want to know the system is clean firsrt before we try and uninstall it.
David

#5 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 01 August 2006 - 02:40 PM

[quote]OK thank you for helping. Heres the combofix log.


Start Time= Tue 08/01/2006 12:22:20.40
Running from: C:\Documents and Settings\TEMP.D89G8B31.001\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-31 16:57:54 ( .D... ) "C:\Program Files\Valve"
2006-07-31 13:27:42 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-30 18:04:56 ( .D... ) "C:\Program Files\Roxio"
2006-07-30 18:04:14 ( .D... ) "C:\Program Files\Common Files\Adaptec Shared"
2006-07-28 03:13:52 ( .D... ) "C:\Program Files\LimeWire"
2006-07-28 00:26:18 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-07-27 01:42:50 1064 ( A.... ) "C:\WINDOWS\SYSTEM32\unh1d6f6.sys"
2006-07-27 01:42:50 1064 ( A.... ) "C:\WINDOWS\SYSTEM32\unh1d6f6.sys"
2006-07-27 01:30:48 28672 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
2006-07-27 01:30:44 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\bez6n4r21.exe"
2006-07-27 00:42:20 ( .D... ) "C:\Program Files\WinRAR"
2006-07-27 00:38:36 ( .D... ) "C:\Program Files\mIRC"
2006-07-25 06:18:18 ( .D... ) "C:\Program Files\PC Wizard 2006"
2006-07-25 06:07:52 43520 ( A.... ) "C:\WINDOWS\SYSTEM32\CmdLineExt03.dll"
2006-07-24 03:48:50 ( .D... ) "C:\Documents and Settings\TEMP.D89G8B31.001\Application Data\Aim"
2006-07-24 03:47:58 ( .D... ) "C:\Program Files\AIM"
2006-07-20 18:20:38 ( .D... ) "C:\Documents and Settings\TEMP.D89G8B31.001\Application Data\Xfire"
2006-07-20 18:20:34 ( .DS.. ) "C:\Program Files\Xfire"
2006-07-20 02:54:56 ( .D... ) "C:\Program Files\MSN Messenger"
2006-07-15 12:51:18 ( .D... ) "C:\Program Files\CCleaner"
2006-07-13 01:34:14 ( .D... ) "C:\Documents and Settings\TEMP.D89G8B31.001\Application Data\uTorrent"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\SYSTEM32\sirenacm.dll"
2006-06-15 15:37:56 ( .D... ) "C:\Program Files\SpywareBlaster"
2006-06-15 15:16:10 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-15 15:12:40 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-15 14:48:28 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-15 14:48:28 ( .D... ) "C:\Documents and Settings\TEMP.D89G8B31.001\Application Data\Mozilla"
2006-06-13 21:39:40 ( .D... ) "C:\Documents and Settings\TEMP.D89G8B31.001\Application Data\vlc"
2006-06-13 21:23:26 ( .D... ) "C:\Program Files\VideoLAN"
2006-06-10 05:06:28 1244580 ( A.... ) "C:\WINDOWS\pstrip-i.exe"
2006-06-10 05:06:28 465431 ( A.... ) "C:\WINDOWS\directxs.exe"
2006-06-10 02:54:36 0 ( A.... ) "C:\WINDOWS\SYSTEM32\taskkill.exe"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\SYSTEM32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\SYSTEM32\iphlpapi.dll"
2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\SYSTEM32\WdfMgr.exe"
2006-05-09 22:36:46 6656 ( A.... ) "C:\WINDOWS\SYSTEM32\uWDF.exe"
2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\SYSTEM32\wmploc.dll"
2006-05-09 22:26:34 1641472 ( ..... ) "C:\WINDOWS\SYSTEM32\wmpencen.dll"
2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\SYSTEM32\WMSPDMOE.dll"
2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\SYSTEM32\WMADMOE.dll"
2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\SYSTEM32\WMNetMgr.dll"
2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\SYSTEM32\WMADMOD.dll"
2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\SYSTEM32\WMSPDMOD.dll"
2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\SYSTEM32\wmpeffects.dll"
2006-05-09 22:26:34 417280 ( A.... ) "C:\WINDOWS\SYSTEM32\wmdrmdev.dll"
2006-05-09 22:26:34 337408 ( A.... ) "C:\WINDOWS\SYSTEM32\wmdrmnet.dll"
2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\SYSTEM32\MSWMDM.dll"
2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\SYSTEM32\wmpdxm.dll"
2006-05-09 22:26:34 267776 ( ..... ) "C:\WINDOWS\SYSTEM32\Audiodev.dll"
2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\SYSTEM32\wmpasf.dll"
2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\SYSTEM32\WMASF.dll"
2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\SYSTEM32\CEWMDM.dll"
2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\SYSTEM32\msnetobj.dll"
2006-05-09 22:26:34 203776 ( ..... ) "C:\WINDOWS\SYSTEM32\wmpsrcwp.dll"
2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\SYSTEM32\qasf.dll"
2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\SYSTEM32\MsPMSP.dll"
2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\SYSTEM32\wmidx.dll"
2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\SYSTEM32\wmpps.dll"
2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\SYSTEM32\wmpshell.dll"
2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\SYSTEM32\WMDMPS.dll"
2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\SYSTEM32\WMDMLOG.dll"
2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\SYSTEM32\MsPMSNSv.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\wmvdmoe2.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\wmvdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\WMVADVE.DLL"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\WMVADVD.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\wmsdmoe2.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\wmsdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\wdfApi.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\MPG4DMOD.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\SYSTEM32\MP43DMOD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\SYSTEM32\MP4SDMOD.dll"
2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\SYSTEM32\wmerror.dll"
2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\SYSTEM32\LAPRXY.dll"
2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\SYSTEM32\asferror.dll"
2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\SYSTEM32\wmvcore.dll"
2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\SYSTEM32\logagent.exe"
2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\SYSTEM32\WMVDECOD.dll"
2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\SYSTEM32\WMVSDECD.dll"
2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\SYSTEM32\WMVENCOD.dll"
2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\SYSTEM32\WMVSENCD.dll"
2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\SYSTEM32\MP4SDECD.dll"
2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\SYSTEM32\MPG4DECD.dll"
2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\SYSTEM32\WMVXENCD.dll"
2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\SYSTEM32\MP43DECD.dll"
2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\SYSTEM32\wmpmde.dll"
2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\SYSTEM32\MFPLAT.dll"
2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\SYSTEM32\drmv2clt.dll"
2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\SYSTEM32\wmdrmsdk.dll"
2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\SYSTEM32\MSSCP.dll"
2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\SYSTEM32\drmupgds.exe"
2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\SYSTEM32\blackbox.dll"
2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\SYSTEM32\WpdShext.dll"
2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll"
2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\SYSTEM32\wpdshextautoplay.exe"
2006-05-09 20:58:50 670208 ( A.... ) "C:\WINDOWS\SYSTEM32\wpd_ci.dll"
2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\SYSTEM32\PortableDeviceWiaCompat.dll"
2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\SYSTEM32\PortableDeviceApi.dll"
2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\SYSTEM32\PortableDeviceWMDRM.dll"
2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\SYSTEM32\PortableDeviceClassExtension.dll"
2006-05-09 20:58:46 343552 ( A.... ) "C:\WINDOWS\SYSTEM32\WPDSp.dll"
2006-05-09 20:58:40 144896 ( A.... ) "C:\WINDOWS\SYSTEM32\wpdmtp.dll"
2006-05-09 20:58:40 55808 ( A.... ) "C:\WINDOWS\SYSTEM32\wpdmtpus.dll"
2006-05-09 20:58:40 35840 ( A.... ) "C:\WINDOWS\SYSTEM32\wpdconns.dll"
2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\SYSTEM32\PortableDeviceTypes.dll"
2006-05-09 20:58:38 13312 ( A.... ) "C:\WINDOWS\SYSTEM32\wpdtrace.dll"
2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\SYSTEM32\ehETW.dll"
2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\SYSTEM32\MSDelta.dll"
2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\SYSTEM32\spupdsvc.exe"
2006-05-06 02:06:58 6006 ( A.... ) "C:\Documents and Settings\TEMP.D89G8B31.001\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-31 16:07 1,072,762,880 C:\hiberfil.sys
2006-07-27 01:32 1,064 C:\WINDOWS\system32\unh1d6f6.sys
2006-07-27 01:30 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-07-27 01:30 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-07-25 06:18 119,568 C:\WINDOWS\system32\vb6fr.dll
2006-07-20 22:18 11,776 C:\WINDOWS\system32\ZPORT4AS.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"MCAgentExe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"VirusScan Online"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"2wSysTray"="C:\\Program Files\\2Wire\\2PortalMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"HP Component Manager"="\"c:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"Steam"=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,86,01,00,00,00,00,00,00,7a,02,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,86,01,00,00,00,00,00,00,7a,02,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1077164172.job
C:\WINDOWS\tasks\McAfee.com Update Check (D89G8B31-Emily Wong).job
C:\WINDOWS\tasks\McAfee.com Update Check (D89G8B31-Henry Wong).job
C:\WINDOWS\tasks\McAfee.com Update Check (D89G8B31-Kenneth Wong).job
C:\WINDOWS\tasks\McAfee.com Update Check (D89G8B31-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (D89G8B31-Winnie Ho).job
C:\WINDOWS\tasks\McAfee.com Update Check (DELLDIMENSION-Kenneth Wong).job
C:\WINDOWS\tasks\McAfee.com Update Check (DELLDIMENSIOND-Kenneth Wong).job

Completion time: Tue 08/01/2006 12:23:14.95
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt




Heres a new hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 12:26:42 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\TEMP.D89G8B31.001\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deanza.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.deviantart.com/view/7789285/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917837171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917826953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


I have tried to clean up as much space on my hard drive as possible but most of my files are media files, I only play three games and they don't take much much space maybe 1.5 gigabytes together. I am planning on buying a portable hard disk so I could transfer some of my media files onto. Thank you for your time.

Edited by GetSome, 01 August 2006 - 02:50 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 01 August 2006 - 03:17 PM

No problem at all GetSome, let's continue.
We only have a few things to do now.

1) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\SYSTEM32\bez6n4r21.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

2) Your Java is out of date and the older versions are being exploited by malware.
It is the likely cause of your infection, so we need to get it patched up as soon as possible.
Click on start, then control panel, and then double-click on add/remove programs.
Search in the list for all older installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: Posted Image
Highlight each and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

3) Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\SYSTEM32\unh1d6f6.sys

Then click the Send File button below.
Please let me know when you have submitted the file.

Please post back with a new Hijackthis log.
Let me know how the system is running for you...
I see a clean log here.

David :thumbsup:

#7 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 01 August 2006 - 03:35 PM

OK I have downloaded and opened up killbox. Do I put in the file paths one at a time into the "Full path of File to Delete" bar?

C:\WINDOWS\system32bez6n4r21.exe


and then afterwards


C:\WINDOWS\SYSTEM32\bez6n4r21.exe

correct?

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 01 August 2006 - 03:57 PM

No, that's not the right way to do it.
Follow the instructions exactly below.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.

Then highlight the following entries (Both of them) and copy them by right clicking and selecting copy:

C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\SYSTEM32\bez6n4r21.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Let me know if this makes more sense to you,
I can go into more detail if need be.

David

#9 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 01 August 2006 - 04:41 PM

Your recent instructions have been completed and the file has been submitted. Here is a new hijack this log. My system has been running fine but spyware doctor uses 100% cpu at startup when i try to click icons and do other stuff, I'm not sure if that is really a problem or not though it has always taken a long time on startup.

Logfile of HijackThis v1.99.1
Scan saved at 2:39:44 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TEMP.D89G8B31.001\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deanza.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.deviantart.com/view/7789285/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917837171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917826953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by GetSome, 01 August 2006 - 04:47 PM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 01 August 2006 - 04:45 PM

Hey GetSome.
The file you submitted is malware, let's delete it.

1) Please find and delete the following file:
C:\WINDOWS\SYSTEM32\unh1d6f6.sys

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

I think I see a clean system here.
How is the computer running for you?

David

#11 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 01 August 2006 - 06:53 PM

I have used Panda ActiveScan to scan "local disks" and it found nothing. But when I used it to scan "my computer" it found a spyware called "shop nav"

Incident Status Location

Spyware:spyware/shopnav Not disinfected Windows Registry

Heres the link that was provided in the ActiveScan log.

http://www.pandasoftware.com/virus_info/en...deteccion=40067


And here is a my new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:13:27 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Valve\Steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TEMP.D89G8B31.001\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deanza.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.deviantart.com/view/7789285/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917837171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917826953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by GetSome, 01 August 2006 - 10:15 PM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 03 August 2006 - 12:12 PM

Hey GetSome,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
shopnav
[Exclude]

[Options]
Filter=KVDLUI

Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

2) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

3) I see a clean log here so we can move onto the mcafee problem

One more small problem is my McAfee Security center online virus scanner does not work anymore it starts up in the system tray by the clock whenever windows starts and I get this message saying it does not work everytime I start up my computer. The uninstaller does not work and i have no use for the McAfee shield or any McAfee progams anyway, so is there a way I can uninstall McAfee or a way to make sure that it does not start up when windows starts? It is quite outdated and useless now because it came with my PC as a 1 year subscription in the summer of 03.

I have a plan but to start with I want you to post exactly what you see when you run the uninstaller for mcafee, like an error message or code etc - Does it tell you the installer is missing or does it tell you that the uninstaller could not work? I think that we might have to stop as many running processes/services as possible first of the antivirus then see if it can be removed that way. Let me know first what the uninstaller does. Remember to go through add/remove in the control panel and uninstall that way.

Please post back with:
1) Regsearch log
2) Uninstall list
3) Mcafee infomation

David

Edited by D-Trojanator, 03 August 2006 - 12:12 PM.


#13 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 03 August 2006 - 04:54 PM

Here is the RegSearch Log

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 8/3/2006 2:42:28 PM for strings:
; 'symantec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

; End Of The Log...


I tired to run the uninstaller for McAfee online scanner and McAfee Security Center and suprpisingly the both worked perfectly. As of now they are both uninstalled. Here is the hijackthis uninstaller list.

2Wire Wireless Client
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
AOL Instant Messenger
Basic Math 1 1.0
Britannica Ready Reference
CCleaner (remove only)
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
Conexant SmartHSFi V92 56K DF PCI Modem
DAO
dBpowerAMP Music Converter
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Dell Support 5.0.0 (766)
Digital Line Detect
DirectX Media Runtime 5.1
DivX Player
DivX Pro Codec Adware
DVDSentry
EarthLink Setup Files
Easy CD Creator 5 Basic
GdiplusUpgrade
HijackThis 1.99.1
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Image Resizer Powertoy for Windows XP
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
J2SE Runtime Environment 5.0 Update 6
LimeWire PRO 4.12.3
Logo Snow Fall Screen Saver
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Windows XP Video Decoder Checkup Utility
mIRC
Modem Helper
Mozilla Firefox (1.5.0.5)
MSN Music Assistant
NetWaiting
NVIDIA Drivers
overland
Paint Shop Pro 7
Panda ActiveScan
PC Wizard 2006.1.691
PCFriendly
PowerDVD
QuickTime
RealPlayer
SBC Yahoo! Applications
SBC Yahoo! DSL Home Networking Installer
Spybot - Search & Destroy 1.4
Spyware Doctor 4.0
SpywareBlaster v3.5.1
Steam
Storybook Weaver Deluxe
URGE
Ventrilo Client
VideoLAN VLC media player 0.8.5
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Westwood Shared Internet Components
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)

And here is a new hijackthis logLogfile of HijackThis v1.99.1
Scan saved at 3:52:40 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\TEMP.D89G8B31.001\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deanza.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.deviantart.com/view/7789285/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917837171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135917826953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe




I haven't notice any problems with my system lately and it actually seems to be running remarkably more smoothly thanks to you.

Edited by GetSome, 03 August 2006 - 05:55 PM.


#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:08 AM

Posted 04 August 2006 - 03:21 AM

Hey, GetSome

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
2) You are using the LimeWire p2p file sharing program.
This is not technically malware by itself, but it installs malware in order to run properly.
It also opens the door for every other nasty program you can think of.
I strongly recommend that you remove it from your computer.
Read this article for alternatives that will provide some of the same function without the garbage:
http://www.spywareinfo.com/articles/p2p/

I suggest you remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
LimeWire

This is another article you can read:
http://www.cexx.org/adware.htm

3) You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

4) Your Java is out of date and the older versions are being exploited by malware.
It is the likely cause of your infection, so we need to get it patched up as soon as possible.
Click on start, then control panel, and then double-click on add/remove programs.
Search in the list for all older installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: Posted Image
Highlight each and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

5) You kinda did the regsearch a bit wrong.
For some reason you typed "symantec in the search parameter file instead of "shopnav" :thumbsup: Can you repeat step1 from Post #12 please and post the log here.

Please post back with the log and let me know how the system runs for you.
I see a clean log here, congratulations!
David

#15 GetSome

GetSome
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:03:08 AM

Posted 04 August 2006 - 05:04 AM

Viewpoint manager and Viewpoint media player have been uninstalled.

You mentioned in an earlier post that I should delete all the older versions and gave me a link to install the latest version. I uninstalled all the older java versions and used your link to install the latest version I believe it was Version 5.0 update 6.

My mistake with the last RegSearch log, there were 2 "Options" text documents, the one I made and the one came with the RegSearch progam and I selected the wrong one and so it searched for symantec. Below is what I got when I using RegSearch to locate "shopnav"

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 8/4/2006 2:36:50 AM for strings:
; 'shopnav'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com\search]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com\search]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com\search]

[HKEY_USERS\S-1-5-21-2296624935-3589512056-985476935-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\search.shopnav.com]

[HKEY_USERS\S-1-5-21-2296624935-3589512056-985476935-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com]

[HKEY_USERS\S-1-5-21-2296624935-3589512056-985476935-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com\search]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shopnav.com\search]

; End Of The Log...

I will install antivirus software but I'm looking for one that uses less system resources would you recommend AVG or Avast?

Edited by GetSome, 04 August 2006 - 05:14 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users