Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Conlanm


  • This topic is locked This topic is locked
7 replies to this topic

#1 conlanm

conlanm

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 10 January 2005 - 04:21 AM

Need help with this one. Appear to have ads345 and maybe some other stuff... Symptoms: when I am online I get redirected to ads345 fairly constantly. If I am at Symantec's site, then I get sent to ads345 almost every time I hit a link. Also computer runs excruciatingly slow. Log follows:

Thanks,

MC

****************************************************

Logfile of HijackThis v1.98.2
Scan saved at 12:11:42 AM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK6200dm.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ACMCMPRS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\2ll.exe
C:\Documents and Settings\Matthew Conlan\Application Data\mnn?.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\InterMute\AdSubtract\AdSub.exe
C:\Program Files\InterMute\PopSubtract\popsub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1046
O2 - BHO: ADW Class - {00000000-0001-1DBE-075A-39EC04BD88AF} - C:\WINDOWS\System32\avicap32.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {86FF75FD-D1A8-4322-AF13-0C70946307C4} - C:\WINDOWS\System32\cdmodetm.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Matthew Conlan\Local Settings\Temp\7P0v.dll
O3 - Toolbar: (no name) - {69EF653B-8FDA-4175-B67B-F39A42736352} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\system32\adsubtb.dll
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK6200dm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [gxiBtg] C:\documents and settings\rebecca conlan\local settings\temp\gxiBtg.exe
O4 - HKLM\..\Run: [e2ND] C:\documents and settings\rebecca conlan\local settings\temp\e2ND.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [0x9pCEk] C:\documents and settings\matthew conlan\local settings\temp\0x9pCEk.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [91G8] C:\documents and settings\matthew conlan\local settings\temp\91G8.exe
O4 - HKLM\..\Run: [e80519c58c15] C:\WINDOWS\system32\audiosrv.exe
O4 - HKLM\..\Run: [5X3#PNY3AZJHS#] C:\WINDOWS\system32\Xdfy37.exe
O4 - HKLM\..\Run: [eb008ac05726] C:\WINDOWS\system32\ACMCMPRS.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ygDavMBWw] C:\windows\ygDavMBWw.exe
O4 - HKLM\..\Run: [2ll] C:\windows\2ll.exe
O4 - HKLM\..\Run: [L] C:\documents and settings\matthew conlan\local settings\temp\L.exe
O4 - HKLM\..\Run: [UH] C:\documents and settings\matthew conlan\local settings\temp\UH.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Mhat] C:\Documents and Settings\Matthew Conlan\Application Data\mnn?.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\InterMute\AdSubtract\AdSub.exe
O4 - Startup: PopSubtract.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palm\HOTSYNC.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {062FF801-56AE-43E4-B4A8-94E9CBA2BB79} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {2D8F16D3-F953-4BA2-B333-473969CAD189} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {2F0A184B-2C56-44F7-878C-51F517C07C14} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {3C8A387F-9E59-48BB-BEF9-2664BD2272A6} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: (no name) - {6A0FAEEE-CED4-4401-8E68-73729760A36B} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {7F8D8BA2-4E38-4EF2-BDDE-A828DAD5E5C1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {7F8D8BA2-4E38-4EF2-BDDE-A828DAD5E5C1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {98F2ABF5-9D5F-4DE1-A7B2-436BA418785F} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {A0D889CF-71FD-4770-8CE3-9C16C2B09783} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® JavaScript® Console - {AE7953A8-5F22-4CA0-8406-224EF269D1E1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {B5331EA9-0877-44CB-B540-9B60D5A9BE30} - (no file)
O9 - Extra button: (no name) - {BF7320CD-D008-4229-B83F-3268FD4F6FDF} - (no file)
O9 - Extra button: (no name) - {C549C02B-0B0B-4676-9D91-2E80D759B3FC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096136416234
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{69931F23-3760-4127-9B1C-EAB3E43684E5}: NameServer = 194.74.65.68 194.72.9.34

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:55 AM

Posted 11 January 2005 - 02:07 PM

Hi :thumbsup:

First of all remove the Peper Trojan.
1. Download and save PeperFix.
REBOOT in SafeMode: Starting your computer in Safe mode, use the F8 method,
and run the program.
It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

2. REBOOT again into SafeMode and run it again for good measure.

3. REBOOT normally.


P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.
You can unistall this program from Add\Remove Programs.
P2P Networking

Please uninstall Viewpoint Media Player from Add\Remove Programs.
Removing Viewpoint Media Player may cause the program that bundled it to not function as intended.
About Viewpoint Media Player.


Optional:
You have Wild Tangent installed. Wild Tangent collects information about you and your usage. The advertisements may also contain pornographic or other material that you might find inappropriate. You can follow these instructions to uninstall it: No. 8 - Uninstallation .

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O2 - BHO: ADW Class - {00000000-0001-1DBE-075A-39EC04BD88AF} - C:\WINDOWS\System32\avicap32.dll
O2 - BHO: (no name) - {86FF75FD-D1A8-4322-AF13-0C70946307C4} - C:\WINDOWS\System32\cdmodetm.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Matthew Conlan\Local Settings\Temp\7P0v.dll
O3 - Toolbar: (no name) - {69EF653B-8FDA-4175-B67B-F39A42736352} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [gxiBtg] C:\documents and settings\rebecca conlan\local settings\temp\gxiBtg.exe
O4 - HKLM\..\Run: [e2ND] C:\documents and settings\rebecca conlan\local settings\temp\e2ND.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [0x9pCEk] C:\documents and settings\matthew conlan\local settings\temp\0x9pCEk.exe
O4 - HKLM\..\Run: [91G8] C:\documents and settings\matthew conlan\local settings\temp\91G8.exe
O4 - HKLM\..\Run: [5X3#PNY3AZJHS#] C:\WINDOWS\system32\Xdfy37.exe
O4 - HKLM\..\Run: [eb008ac05726] C:\WINDOWS\system32\ACMCMPRS.exe
O4 - HKLM\..\Run: [ygDavMBWw] C:\windows\ygDavMBWw.exe
O4 - HKLM\..\Run: [2ll] C:\windows\2ll.exe
O4 - HKLM\..\Run: [L] C:\documents and settings\matthew conlan\local settings\temp\L.exe
O4 - HKLM\..\Run: [UH] C:\documents and settings\matthew conlan\local settings\temp\UH.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Mhat] C:\Documents and Settings\Matthew Conlan\Application Data\mnn?.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O9 - Extra button: (no name) - {062FF801-56AE-43E4-B4A8-94E9CBA2BB79} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {2F0A184B-2C56-44F7-878C-51F517C07C14} - (no file)
O9 - Extra button: (no name) - {B5331EA9-0877-44CB-B540-9B60D5A9BE30} - (no file)
O9 - Extra button: (no name) - {BF7320CD-D008-4229-B83F-3268FD4F6FDF} - (no file)
O9 - Extra button: (no name) - {C549C02B-0B0B-4676-9D91-2E80D759B3FC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.exe
O16 - DPF: {69432678-2906-2705-1128-068943397621} -


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
C:\WINDOWS\System32\avicap32.dll <-- this file
C:\WINDOWS\System32\cdmodetm.dll <-- this file
C:\WINDOWS\System32\IEHost.exe <-- this file
C:\WINDOWS\system32\ACMCMPRS.exe <-- this file
C:\windows\ygDavMBWw.exe <-- this file
C:\windows\2ll.exe <-- this file
C:\Documents and Settings\Matthew Conlan\Application Data\mnn?.exe <-- this file, filename starts with mnn, tell me please if you could find and delete this file, it could be invisible
C:\WINDOWS\System32\wnsintsv.exe <-- this file

Delete these folders, if present:
C:\WINDOWS\System32\P2P Networking\ <-- this folder
C:\Program files\CLOCKS~1\ <-- this folder

C:\Documents and Settings\Matthew Conlan\Local Settings\Temp\ <-- empty this folder, do not delete the folder
C:\documents and settings\rebecca conlan\local settings\temp\ <-- empty this folder, do not delete the folder

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

You are running an outdated version of HijackThis.. Delete the copy you have and download the latest version of HijackThis!: Download here HJT 1.99.. Save it on your Desktop. You will need now to unzip hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups. You may need to use these backups.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.

Please post a new hijackthis log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 conlanm

conlanm
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 14 January 2005 - 04:14 AM

Hi,

I downloaded and ran (several times) PeperFix. It did not find any Peper files (the actual message onscreen was "No Peper Files Were Detected").

There was no P2P Networking program listed in the Add/Remove Programs list.

Removed Viewpoint Media Player.

Left Wild Tangent for now. I tried to get rid of it a while back and had a bunch of problems result so I left it for now.

Went through the entire list. Found all of the 02, 03, 04 09, and 016 entries and fixed them, although this one:

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Matthew Conlan\Local Settings\Temp\7P0v.dll

had changed to:

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Matthew Conlan\Local Settings\Temp\m.dll

I had HiJackThis fix it (hoping that was the right thing to do...)

For these files:

Search for these files and delete them if present:
C:\WINDOWS\System32\avicap32.dll <-- this file
C:\WINDOWS\System32\cdmodetm.dll <-- this file
C:\WINDOWS\System32\IEHost.exe <-- this file
C:\WINDOWS\system32\ACMCMPRS.exe <-- this file
C:\windows\ygDavMBWw.exe <-- this file
C:\windows\2ll.exe <-- this file
C:\Documents and Settings\Matthew Conlan\Application Data\mnn?.exe <-- this file, filename starts with mnn, tell me please if you could find and delete this file, it could be invisible
C:\WINDOWS\System32\wnsintsv.exe <-- this file


I found an avicap32.dll.tmp, wasn't sure I should delete it or not.
I did not find cdmodetm.dll although there was a cdmodem.dll (left it there).
did not find iehost.exe.
Found and deleted ACMCMPRS.exe and 2ll.exe. Did not find ygDavMBWw.exe but there is a ygDavMBWw.dll (left it there).

For this one:

C:\Documents and Settings\Matthew Conlan\Application Data\mnn?.exe <-- this file, filename starts with mnn, tell me please if you could find and delete this file, it could be invisible

I found "mnns.exe" and deleted it.

I didn't find:

C:\WINDOWS\System32\wnsintsv.exe <-- this file

Deleted:

C:\WINDOWS\System32\P2P Networking\ <-- this folder

but did not find:

C:\Program files\CLOCKS~1\ <-- this folder

Deleted the contents of:

C:\Documents and Settings\Matthew Conlan\Local Settings\Temp\
C:\documents and settings\rebecca conlan\local settings\temp\

Installed and ran System Security Suite.

Downloaded and ran updated HJT.

Here's the new log:


Logfile of HijackThis v1.99.0
Scan saved at 8:52:46 AM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK6200dm.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\InterMute\SpySubtract\spysub.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\InterMute\PopSubtract\popsub.exe
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1033
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK6200dm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [e80519c58c15] C:\WINDOWS\system32\audiosrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\InterMute\AdSubtract\AdSub.exe
O4 - Startup: PopSubtract.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palm\HOTSYNC.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {2D8F16D3-F953-4BA2-B333-473969CAD189} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {3C8A387F-9E59-48BB-BEF9-2664BD2272A6} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: (no name) - {6A0FAEEE-CED4-4401-8E68-73729760A36B} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {7F8D8BA2-4E38-4EF2-BDDE-A828DAD5E5C1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {7F8D8BA2-4E38-4EF2-BDDE-A828DAD5E5C1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll
O9 - Extra button: Microsoft® JavaScript® Console - {98F2ABF5-9D5F-4DE1-A7B2-436BA418785F} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {A0D889CF-71FD-4770-8CE3-9C16C2B09783} - C:\Documents and Settings\Matthew Conlan\Local Settings\Temporary Internet Files\Content.IE5\S1MJGHE3\cxmsx[1].exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® JavaScript® Console - {AE7953A8-5F22-4CA0-8406-224EF269D1E1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096136416234
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{69931F23-3760-4127-9B1C-EAB3E43684E5}: NameServer = 194.74.65.68 194.72.9.34
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thank you! :thumbsup:

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:55 AM

Posted 14 January 2005 - 12:53 PM

C:\Program files\CLOCKS~1\ <-- delete this folder if present, foldername starts with CLOCK

I found an avicap32.dll.tmp, wasn't sure I should delete it or not.

Yes, delete it.

Did not find ygDavMBWw.exe but there is a ygDavMBWw.dll (left it there).

It is a bad file, delete it.


Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

Close all other windows and browsers, and press the Fix Checked button.


REBOOT your machine and post a new log please.

Is your browser still redirected to about:blank ? The newest CoolWebSearch variant is not visible in the hijackthis log.

Edited by Daisuke, 14 January 2005 - 12:57 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 conlanm

conlanm
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 15 January 2005 - 11:13 AM

C:\Program files\CLOCKS~1\ <-- delete this folder if present, foldername starts with CLOCK


I did not find this directory.

I deleted avicap32.dll (this time I couldn't find avicap32.dll.tmp, found avicap32.dll instead so I deleted it) and ygDavMBWw.dll (same sort of thing happened here).

Ran HijackThis! and fixed this entry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

REBOOTed, and new log is below.

Is your browser still redirected to about:blank ? The newest CoolWebSearch variant is not visible in the hijackthis log.

I had my browser set tp open on a blank page whenever it first opened. I reset it to MSN as the start page and it seems (so far) to go directly there whenever I launch the browser.

Thanks, log follows:

Logfile of HijackThis v1.99.0
Scan saved at 4:03:37 PM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK6200dm.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mpbtn.exe
C:\Program Files\InterMute\SpySubtract\spysub.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\InterMute\PopSubtract\popsub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1456
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK6200dm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [e80519c58c15] C:\WINDOWS\system32\audiosrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PopSubtract.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palm\HOTSYNC.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {2D8F16D3-F953-4BA2-B333-473969CAD189} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {3297BB24-7A1D-4F2D-8B54-1F78681F37F7} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {3C8A387F-9E59-48BB-BEF9-2664BD2272A6} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: (no name) - {6A0FAEEE-CED4-4401-8E68-73729760A36B} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {7F8D8BA2-4E38-4EF2-BDDE-A828DAD5E5C1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {7F8D8BA2-4E38-4EF2-BDDE-A828DAD5E5C1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll
O9 - Extra button: Microsoft® JavaScript® Console - {98F2ABF5-9D5F-4DE1-A7B2-436BA418785F} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {A0D889CF-71FD-4770-8CE3-9C16C2B09783} - C:\Documents and Settings\Matthew Conlan\Local Settings\Temporary Internet Files\Content.IE5\S1MJGHE3\cxmsx[1].exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® JavaScript® Console - {AE7953A8-5F22-4CA0-8406-224EF269D1E1} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096136416234
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{69931F23-3760-4127-9B1C-EAB3E43684E5}: NameServer = 194.74.65.68 194.72.9.34
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:55 AM

Posted 15 January 2005 - 03:53 PM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 conlanm

conlanm
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 15 January 2005 - 06:50 PM

Thanks! I really appreciate all your help on this one, it was driving me nuts.

Thanks again.

MC

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:55 AM

Posted 16 January 2005 - 05:19 AM

You're Welcome ! Happy surfing :thumbsup:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users