Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Remove Adware/spyware/trojan


  • Please log in to reply
14 replies to this topic

#1 TiffanyH

TiffanyH

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 14 September 2006 - 10:49 PM

Can someone help? I've tried for 14 hours to remove all of the hijacker and trojans my computer became infected with but they're still around.

I was playing an online game last night when about 10 IE windows began popping up, thus practically disabling my computer. It began to respond very slowly. I have spent all day today trying to get rid of them all.

I followed all of the instructions on the "Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer" with the exception of adding another firewall (I only have the Windows Firewall at this time).

Before finding this site, I downloaded and used Hijackthis, ATF Cleaner, VirtumundoBeGone, Ewido, bought SpyWare Doctor and did safe-mode instructions on one of them (there's been too many steps, now I've forgotten).

Each time I finish a scan and then restart the computer, the OIDAdserver pops up all kinds of windows. Others in my Spy sweeper start up items included Duce6, (btvpj) & (ewoohs) FFKWIU, Defender, jwuvdsiA, topaff, ms053755111438, setpop06apsept... I think that's it.

My Symantec AntiVirus sometimes pops up and tells me that a file has been quarantined, Trojan.dropper.

This is my latest HIJACK THIS log - What else should I do?


HIJACK THIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 8:29:56 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\keyhook.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\?ymantec\w?auboot.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [HPHmon03]

C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe"

SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common

Files\AOL\1147963290\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common

Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [vptray] "C:\Program

Files\Symantec_Client_Security\Symantec

AntiVirus\vptray.exe"
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ewoohs]

C:\WINDOWS\system32\ffkwiu.exe reg_run
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program

Files\Washer\washidx.exe "Compaq_Owner"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tcjjwjk] "C:\Program

Files\?ymantec\w?auboot.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather

Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program

Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [btvpj] C:\WINDOWS\system32\ffkwiu.exe

reg_run
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}

(Snapfish Activia) -

http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/

en/x86/client/muweb_site.cab?1145110217890
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}

(Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8}

(Aurigma Image Uploader 3.5 Control) -

http://www.dotphoto.com/DPImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1}

(FujifilmUploader Class) -

http://photo.walmart.com/photo/uploads/FujifilmUploadClient

.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDo

wnloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

(PopCapLoader Object) -

http://clubgames.pogo.com/online2/pogop/chuzzle/popcaploa

der_v6.cab
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier -

C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware

Development a.s. - C:\Program Files\ewido anti-spyware

4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - Networks Associates Technology, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus

Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP -

C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools

Research Pty Ltd - C:\Program Files\Spyware

Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc. -

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program

Files\Linksys Wireless-G PCI Network Adapter with

SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file

missing)

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 15 September 2006 - 11:31 AM

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Please post a new HijackThis log and in Notepad be sure to click on Format and place a check mark beside "word wrap" so the log will be easier to read.

#3 TiffanyH

TiffanyH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 15 September 2006 - 11:53 AM

Hi, and thanks for trying to help. :-)


OK, I did the ComboFix and HJT, logs are as follows:
(WordWrap was checked, but it doesn't look like it's formatted that way)



COMBOFIX

Compaq_Owner - 06-09-15 9:41:40.46 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Compaq_Owner\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\misc002
C:\Program Files\Common Files\{442D936F-08A2-1033-1029-040624040001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Compaq_Owner\Application Data\DOBE~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-15 to 2006-09-15 ))))))))))))))))))))))))))))))))))


2006-09-15 07:54 131,072 --a------ C:\WINDOWS\system32\eidijr.dll
2006-09-14 20:27 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-13 20:35 186,381 --a------ C:\WINDOWS\srvacwrhrq.exe
2006-09-13 20:34 21,900 --a------ C:\WINDOWS\system32\wc79bbb4.dll
2006-09-13 20:34 150,000 -r-hs---- C:\WINDOWS\jwuvdsiA.exe
2006-09-13 20:32 348,676 --a------ C:\803_104.exe
2006-09-13 20:32 2 --a------ C:\WINDOWS\system32\wapiit.exe
2006-09-13 20:32 140 --a------ C:\WINDOWS\dardy.dll
2006-09-13 20:31 267,228 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-13 20:31 184,795 --a------ C:\WINDOWS\YazzleBundle-1264.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-15 09:43 -------- d-------- C:\Program Files\Common Files
2006-09-15 07:51 -------- d-------- C:\Program Files\Hijackthis
2006-09-15 03:08 -------- d-------- C:\Program Files\Internet Explorer
2006-09-15 03:07 -------- d-------- C:\Program Files\Windows Media Player
2006-09-15 03:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-15 03:02 -------- d-------- C:\Program Files\Outlook Express
2006-09-15 03:02 -------- d-------- C:\Program Files\Common Files\System
2006-09-14 18:44 -------- d-------- C:\Program Files\MyWay
2006-09-14 15:57 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2006-09-14 15:56 -------- d-------- C:\Program Files\Lavasoft
2006-09-14 11:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-14 09:58 -------- d-------- C:\Program Files\MSN
2006-09-14 09:58 -------- d-------- C:\Program Files\Common Files\mkkw
2006-09-14 08:30 -------- d-------- C:\Program Files\Spyware Doctor
2006-09-14 07:53 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\PC Tools
2006-09-13 22:15 83208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-13 22:15 73496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-13 22:15 -------- d-------- C:\Program Files\Symantec
2006-09-13 22:15 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-13 20:32 93635 --ahs---- C:\Program Files\Common Files\Yazzle1264OinUninstaller.exe
2006-09-13 20:32 -------- d-------- C:\Program Files\Online Services
2006-09-13 20:32 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-13 20:31 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-24 11:40 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-11 13:37 -------- d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2006-08-04 08:59 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Snapfish
2006-08-01 21:01 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-01 21:01 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-18 14:51 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2006-06-25 12:01 119328 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Aim6"=""
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"
"Mskexe"="c:\\PROGRA~1\\mcafee\\SPAMKI~1\\spamkiller.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Logitech Utility"="Logi_MwX.Exe"
"HPHmon03"="C:\\WINDOWS\\system32\\hphmon03.exe"
"SiSPower"="\"Rundll32.exe\" SiSPower.dll,ModeAgent"
"AlcxMonitor"="ALCXMNTR.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1147963290\\ee\\AOLSoftware.exe\""
"IPHSend"="\"C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe\""
"vptray"="\"C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe\""
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservicesonce]
"washindex"="C:\\Program Files\\Washer\\washidx.exe \"Compaq_Owner\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\mecevenum.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,1c,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,1c,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
"backup"="C:\\WINDOWS\\pss\\Watch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\twain_32\\S6U12BX\\WATCH.exe "
"item"="Watch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (MAIN-Compaq_Owner).job

Completion time: Fri 09/15/2006 9:43:56.48
ComboFix.txt


HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:45:32 AM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\keyhook.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: (no name) - {A494A362-3CD9-1452-A4AB-151341A930B3} - C:\WINDOWS\system32\eidijr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {A494A362-3CD9-1452-A4AB-151341A930B3} - C:\WINDOWS\system32\eidijr.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [vptray] "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Compaq_Owner"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145110217890
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.dotphoto.com/DPImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/ch...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 15 September 2006 - 12:59 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin, Yazzle by OIN, or anything similar with Oin in it.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: (no name) - {A494A362-3CD9-1452-A4AB-151341A930B3} - C:\WINDOWS\system32\eidijr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\eidijr.dll
C:\WINDOWS\srvacwrhrq.exe
C:\WINDOWS\system32\wc79bbb4.dll
C:\WINDOWS\jwuvdsiA.exe
C:\803_104.exe
C:\WINDOWS\system32\wapiit.exe
C:\WINDOWS\dardy.dll
C:\WINDOWS\popupwithcast.exe
C:\WINDOWS\YazzleBundle-1264.exe
C:\Program Files\Common Files\Yazzle1264OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please find and delete this folder if it's there:
C:\Program Files\Common Files\mkkw

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Post back with a new Hijackthis log.
David

Edited by D-Trojanator, 15 September 2006 - 01:00 PM.


#5 TiffanyH

TiffanyH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 15 September 2006 - 03:10 PM

OK, so far so good? Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:05:47 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\keyhook.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {A494A362-3CD9-1452-A4AB-151341A930B3} - C:\WINDOWS\system32\eidijr.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [vptray] "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Compaq_Owner"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145110217890
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.dotphoto.com/DPImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/ch...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 15 September 2006 - 03:21 PM

Hey TiffanyH, looking much better already.

Please fix the following entries with Hijackthis:

O2 - BHO: (no name) - {A494A362-3CD9-1452-A4AB-151341A930B3} - C:\WINDOWS\system32\eidijr.dll (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/ch...aploader_v6.cab


I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Symantec or Mcafee.
If you remove Mcafee please understand you will have to install a new firewall as the mcafee one will have been uninstalled also.

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

David

Edited by D-Trojanator, 15 September 2006 - 03:22 PM.


#7 TiffanyH

TiffanyH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 15 September 2006 - 04:44 PM

Alrighty, David. Here we go:


Panda Log:



Incident Status Location

Spyware:Spyware/7r7t Not disinfected C:\!KillBox\srvacwrhrq.exe
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\wc79bbb4.dll
Adware:Adware/PurityScan Not disinfected C:\!KillBox\Yazzle1281OinAdmin.exe
Adware:Adware/PurityScan Not disinfected C:\!KillBox\YazzleBundle-1264.exe[++\Yazzle1264OinAdmin.exe]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats.drivecleaner[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\virus stuff\VirtumundoBeGone.exe[]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Compaq_Owner\My Documents\1icrosoft.NET55\csrss.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe



HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:37:48 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\keyhook.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Registry Toolkit\RegToolkit.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1147963290\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [vptray] "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Compaq_Owner"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145110217890
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.dotphoto.com/DPImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)


As far as dual Virus programs, I'm not aware that I have both Symantec and McAffee. I use McAffee SpamKiller, but not the virus program... to my knowledge. I'll check on it.

Thanks!
Tiffany
http://www.pbase.com/tiffh

Edited by TiffanyH, 15 September 2006 - 04:44 PM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 16 September 2006 - 04:57 AM

Please empty this folder:
C:\!KillBox

Please delete this folder:
C:\Documents and Settings\Compaq_Owner\My Documents\1icrosoft.NET55

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

I see a clean log here now, how do you feel the system is running?
David

#9 TiffanyH

TiffanyH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 September 2006 - 10:02 AM

Hi, David!

Oh boy, things are running much closer to normal now. NO MORE POPUPS! The only thing happening now is an error message on startup and shutdown (for my wireless router), but I can live with that! lol

Thank you so much! Is that it? I mean, it's all clean? I'm really impressed with the way you were able to do all of that by looking at the logs. Amazing. :-)

Tiffany
http://www.pbase.com/tiffh

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 16 September 2006 - 11:49 AM

I'm glad to hear you are happy with the system's performance, and you're welcome for the help :thumbsup:
Can you give me exact details of this error please and I'll do my best to sort it out for you.

#11 TiffanyH

TiffanyH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 September 2006 - 01:09 PM

Here are the errors I'm receiving:

Linksys Wireless Network Monitor (error on startup)

Access violation at address 004A55F7 in module 'WMP54GSv1_1.exe'. Read of address 00000000.

Linksys Wireless Network Monitor (error on shutdown, x2)

The Instruction at 0x026152ed referenced memory 0x026152ed.

The memory could not be 'read'.

Click OK to terminate Click Cancel to Debug

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 16 September 2006 - 05:06 PM

I think these errors are related to a non-necessary service created for Belkin routers.
I think if we disable this process those errors will stop.

Click on start, click run and type: services.msc
In the list of services look for: WMP54GSSVC
Right click on it and hit properties.
In the drop down box next to "startup type" choose: disabled
Ok you're way out, and reboot.
Let me know if you get either of the errors again.

David

#13 TiffanyH

TiffanyH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 September 2006 - 07:27 PM

That was a good try, David, but it didn't work. Oh well, right?

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 17 September 2006 - 03:25 AM

That was my only idea I'm afraid. I have another incling, but I'm not too sure whether it's safe.
I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
Windows XP Home and Professional

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:08 AM

Posted 06 October 2006 - 12:08 PM

Thanks to the member sonnytwins, here is a solution for the 'WMP54GSv1_1.exe' error that TiffanyH was experiencing:

"I used to get the same error popup as TiffanyH, until I got the fix (from Linksys customer support chat session), here are the details and the fix:

router: WRT54GS Linksys wireless router with Speedbooster
network card: WMP54GS
OS: Windows XP home
the problem: each time the PC shuts down, get multiple annoying error popups relating to wmp54gsv1_1.exe. Sometimes happens at startup too. The router connection stills works fine though, it's just an inconvenience I guess.

- uninstall the network card
- reboot
- when it comes back up, it'll bring up a "found new hardware" popup
- choose the "automatic" option
- insert the CD that came with the network card, then wait a few seconds
- voila!

The idea is to use the Windows utility for the network card, not the Linksys one. This worked right away for me, no more annoying error popups upon shutdown, and the internet connection is as good as it ever was.

BTW, this response had nothing to do with the virus/spyware issue that originated the thread, it's only about the error popup wmp54gsv1_1.exe (which appears in the last couple of paragraphs in the thread).

Good luck everyone!"

Thanks for the tip sonnytwins.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users