Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help me! hijacklog attached


  • Please log in to reply
2 replies to this topic

#1 slickpimpn

slickpimpn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 23 December 2004 - 12:28 AM

Logfile of HijackThis v1.98.2
Scan saved at 12:27:56 AM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\Root32.exe
C:\WINDOWS\Config\Setup\Microsoft\svchost.exe
C:\WINDOWS\system32\JLJEHDMKUQ.EXE
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\tpfacu.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\documents and settings\kellie staten\local settings\temp\4.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\documents and settings\kellie staten\local settings\temp\IFhwz.exe
C:\WINDOWS\system32\dllsrv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\documents and settings\kellie staten\local settings\temp\8FVujg1Tj.exe
C:\WINDOWS\system32\juulogon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\jobcore.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\system32\??rvices.exe
C:\Documents and Settings\Kellie Staten\Application Data\eetu.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\KELLIE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alcorn.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F2 - REG:system.ini: Shell=explorer.exe nstask32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {1BAB4C2D-9244-74C1-8754-125509857B49} - C:\WINDOWS\system32\usn.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Kellie Staten\Local Settings\Temp\0JzDqu.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Windows Root Account] Root32.exe
O4 - HKLM\..\Run: [WindowsSetup] C:\WINDOWS\Config\Setup\Microsoft\svchost.exe
O4 - HKLM\..\Run: [NDplDeamon] nstask32.exe
O4 - HKLM\..\Run: [MSConfig] JLJEHDMKUQ.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ltytwuwvqvou] C:\WINDOWS\System32\tpfacu.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [4] C:\documents and settings\kellie staten\local settings\temp\4.exe
O4 - HKLM\..\Run: [WvvIZsJ] C:\documents and settings\kellie staten\local settings\temp\WvvIZsJ.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\LgnJ8V3.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
O4 - HKLM\..\Run: [IFhwz] C:\documents and settings\kellie staten\local settings\temp\IFhwz.exe
O4 - HKLM\..\Run: [SKQUOTAD] C:\WINDOWS\System32\SKQUOTAD.exe
O4 - HKLM\..\Run: [lusapic] C:\WINDOWS\System32\lusapic.exe
O4 - HKLM\..\Run: [YNCUIS] C:\WINDOWS\System32\YNCUIS.exe
O4 - HKLM\..\Run: [Microsoft Upgdate] dllsrv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [CIFiXM] C:\documents and settings\kellie staten\local settings\temp\CIFiXM.exe
O4 - HKLM\..\Run: [8FVujg1Tj] C:\documents and settings\kellie staten\local settings\temp\8FVujg1Tj.exe
O4 - HKLM\..\Run: [OwM] C:\documents and settings\kellie staten\local settings\temp\OwM.exe
O4 - HKLM\..\Run: [qs5k39g] juulogon.exe
O4 - HKLM\..\RunServices: [Windows Root Account] Root32.exe
O4 - HKLM\..\RunServices: [Microsoft Upgdate] dllsrv.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [bBuqRVM5W] jobcore.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Microsoft Upgdate] dllsrv.exe
O4 - HKCU\..\RunOnce: [NDplDeamon] nstask32.exe
O4 - HKCU\..\RunOnce: [MSConfig] JLJEHDMKUQ.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] EXPLORER.EXE
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: Virtual Bouncer.lnk = ?
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TFTP552
O4 - Global Startup: webdav.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/FWInstaller.exe
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/aut.../autopricer.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_1.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing) (HKLM)

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:21 PM

Posted 23 December 2004 - 02:14 PM

I'll be checking it asap, slickpimpn. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:21 PM

Posted 24 December 2004 - 12:14 PM

slickpimpn, your last PC cleanup was just practice. The good news = you are fully updated!

You will lose your Internet connection temporarily during the fix procedure.
Copy/paste these instructions to a notepad/wordpad or choose file-->save page as: HJT instructions
Please read the information provided at the "download locations".

The "info only" links provided are optional reading.
Many are not exactly specific to your present problem, but may shed light on the nature of what you are dealing with now.
Please don't be confused by it. You may choose to ignore it.
In most cases it simply shows it's been removed before because it is spyware, a browser hijacker, a trojan, etc.

1. Please download Hijack This 1.99 installer. This will install to C:\Program Files\HijackThis automatically.
We will be deleting the version you ran for the log I've used here later in the fix procedure. That's OK.
From now on, when you use HJT, simply open it from it's new location, closing all other windows when you do.

2. You need some tools. Click the links to download:
Peper remover. One part of the infection will removed using this.
YOU MUST BE ONLINE WHEN RUNNING IT and let it have access to pass the firewall.
Run by (double)clicking the redX on your desktop. Then "find & fix". It should save you some time with below listed deletions.
Please run this twice with a reboot in between.

CWShredder 2.12. Download the program,
unzip (extract) it into a directory (folder) that you have created. We'll use it later.
System Security Suite Install this program, look it over, read about it, but don't run it quite yet.

You will also need to install Ad-Aware SE Personal 1.05, unless you already have this version on this PC.
You should uninstall an older version before installing this.
Refer to the programs "help" menu, and read a basic tutorial for helpful advice.

Run Ad-Aware and immediately check for updates. Exit after updating.
Next, install VX2 varient add-on to your Ad-Aware. download location VX2 varient add-on. ( precautionary measure)
Select "Add-ons from the menu on the left.
At new page, select VX2 cleaner on the right.
Download to your desktop, close all open browsers and windows.
Just the install wizard open, please.
Follow the prompts to install, it will locate the proper location for you. Exit, we will run it again later.

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Start-->Add or Remove Programs-->(if found) Uninstall any instances of
Toolbar info only info only
WinTools info only
CxtPls info only
WindowsSA info only info only
AutoUpdate info only info only info only
Web Offer
info only details.

Reboot your computer into Safe Mode by tapping F8 until
the DOS screen appears. Yes. Use the up arrow to choose safe mode. Hit enter. OK.

Open your C:\Program Files\HijackThis and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F2 - REG:system.ini: Shell=explorer.exe nstask32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) info only
O2 - BHO: (no name) - {1BAB4C2D-9244-74C1-8754-125509857B49} - C:\WINDOWS\system32\usn.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll info only
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Kellie Staten\Local Settings\Temp\0JzDqu.dll
info only

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [Windows Root Account] Root32.exe info only
O4 - HKLM\..\Run: [NDplDeamon] nstask32.exe
O4 - HKLM\..\Run: [MSConfig] JLJEHDMKUQ.EXE
O4 - HKLM\..\Run: [ltytwuwvqvou] C:\WINDOWS\System32\tpfacu.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe info only
O4 - HKLM\..\Run: [4] C:\documents and settings\kellie staten\local settings\temp\4.exe
O4 - HKLM\..\Run: [WvvIZsJ] C:\documents and settings\kellie staten\local settings\temp\WvvIZsJ.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\LgnJ8V3.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
O4 - HKLM\..\Run: [IFhwz] C:\documents and settings\kellie staten\local settings\temp\IFhwz.exe
O4 - HKLM\..\Run: [SKQUOTAD] C:\WINDOWS\System32\SKQUOTAD.exe
O4 - HKLM\..\Run: [lusapic] C:\WINDOWS\System32\lusapic.exe
O4 - HKLM\..\Run: [YNCUIS] C:\WINDOWS\System32\YNCUIS.exe
O4 - HKLM\..\Run: [Microsoft Upgdate] dllsrv.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [CIFiXM] C:\documents and settings\kellie staten\local settings\temp\CIFiXM.exe
O4 - HKLM\..\Run: [8FVujg1Tj] C:\documents and settings\kellie staten\local settings\temp\8FVujg1Tj.exe
O4 - HKLM\..\Run: [OwM] C:\documents and settings\kellie staten\local settings\temp\OwM.exe
O4 - HKLM\..\Run: [qs5k39g] juulogon.exe
O4 - HKLM\..\RunServices: [Windows Root Account] Root32.exe
O4 - HKLM\..\RunServices: [Microsoft Upgdate] dllsrv.exe
O4 - HKCU\..\Run: [bBuqRVM5W] jobcore.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [NDplDeamon] nstask32.exe info only
O4 - HKCU\..\RunOnce: [MSConfig] JLJEHDMKUQ.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] EXPLORER.EXE
O4 - Startup: Virtual Bouncer.lnk = ? info only
O4 - Global Startup: TFTP552
O4 - Global Startup: webdav.exe info only

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing) (HKLM)

Fix button is clicked when you are certain of the deletions. (yes, that many)

Search for, locate and delete the following files or folders
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.

Delete manually:

C:\webdav.exe<-- this file only
C:\JLJEHDMKUQ.EXE<-- this file only
C:\nstask32.exe<-- this file only
C:\jobcore.exe<-- this file only
C:\dllsrv.exe<-- this file only
C:\Root32.exe<-- this file only
C:\juulogon.exe<-- this file only

C:\WINDOWS\systb.dll<-- this file only

C:\WINDOWS\System32\YNCUIS.exe<-- this file only
C:\WINDOWS\System32\lusapic.exe<-- this file only
C:\WINDOWS\System32\SKQUOTAD.exe<-- this file only
C:\Windows\System32\wsaupdater.exe<-- this file only
C:\WINDOWS\System32\LgnJ8V3.exe<-- this file only
C:\WINDOWS\System32\tpfacu.exe<-- this file only
C:\WINDOWS\system32\usn.dll<-- this file only
C:\WINDOWS\System32\ms.exe<-- this file only

C:\PROGRA~1\Web Offer\wo.exe<--search for the file name and when found delete it and the folder it was in
C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll<--search for the file name and when found delete it and the folder it was in
C:\PROGRA~1\Toolbar\TBPS.exe<--search for the file name and when found delete it and the folder it was in

C:\Program Files\SEP\sep.dll<--search for the file name and when found delete it and the folder it was in
C:\Program Files\CxtPls\plg0\cxtpls.dll<--search for the file name and when found delete it and the folder it was in
C:\Program Files\eSyndicate\esyn.dll<--search for the file name and when found delete it and the folder it was in
C:\Program Files\AutoUpdate\AutoUpdate.exe<--search for the file name and when found delete it and the folder it was in
C:\Program Files\Common Files\WinTools\WToolsA.exe<--search for the file name and when found delete it and the folder it was in
C:\Program Files\BullsEye Network\bin\bargains.exe<--search for the file name and when found delete it and the folder it was in
C:\Program Files\WindowsSA\omniscient.exe<--search for the file name and when found delete it and the folder it was in

Note: Regarding EXPLORER.EXE<-- this file only. When you search, if you see it in any other location besides:
C:\Windows
C:\Windows\Prefetch
C:\Windows\Service Pack Files\i386 please note the other location(s), don't delete & post that info with your next log.

These should be deleted in the next step - cleaning your temp folders
C:\Documents and Settings\Kellie Staten\Local Settings\Temp\0JzDqu.dll
C:\documents and settings\kellie staten\local settings\temp\4.exe
C:\documents and settings\kellie staten\local settings\temp\WvvIZsJ.exe
C:\documents and settings\kellie staten\local settings\temp\OwM.exe
C:\documents and settings\kellie staten\local settings\temp\8FVujg1Tj.exe
C:\documents and settings\kellie staten\local settings\temp\CIFiXM.exe
C:\documents and settings\kellie staten\local settings\temp\IFhwz.exe


Run Ad-Aware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next".
Let Ad-Aware remove anything it finds. Next, select "Add-ons"-->select & highlight VX2-->Run tool-->OK-->close.

Run System Security Suite. (All windows and browsers closed)
To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button
and put a checkmark in Delete offline content. Then press the OK button.

Run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

Reboot your computer to go back to normal mode.

Run HijackThis again and post the new log as a reply to this post. Please add comments.
Is it running better? Any problems?
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users