Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTJ Log - akryte


  • This topic is locked This topic is locked
9 replies to this topic

#1 akryte

akryte

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 11 January 2005 - 07:40 PM

When I close a page on IE I get a ton of new windows opening with http://realsearch.cc/ as the startpage. I have run Ad-aware and Cw Shredder with no luck. Thank You for any help you can provide. Here is my log:

Logfile of HijackThis v1.99.0
Scan saved at 11:22:45 AM, on 1/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\MMaestro\BWheel35.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\rxextpdl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HTJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKLM\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKLM\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKLM\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKLM\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKLM\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKLM\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKLM\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKLM\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKLM\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKLM\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKLM\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKLM\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKLM\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKLM\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKLM\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKLM\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKLM\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKLM\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKLM\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKLM\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKCU\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKCU\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKCU\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKCU\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKCU\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKCU\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKCU\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKCU\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKCU\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKCU\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKCU\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKCU\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKCU\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKCU\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKCU\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKCU\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKCU\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKCU\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKCU\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKCU\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03c5428856190bb04605/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105149942671
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:06 PM

Posted 12 January 2005 - 05:17 PM

Hi :thumbsup:

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKLM\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKLM\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKLM\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKLM\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKLM\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKLM\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKLM\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKLM\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKLM\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKLM\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKLM\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKLM\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKLM\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKLM\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKLM\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKLM\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKLM\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKLM\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKLM\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKLM\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKCU\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKCU\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKCU\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKCU\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKCU\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKCU\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKCU\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKCU\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKCU\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKCU\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKCU\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKCU\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKCU\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKCU\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKCU\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKCU\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKCU\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKCU\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKCU\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKCU\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe

O15 - Trusted Zone: http://*.69sexsearch.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03c5428856190bb04605/...ip/RdxIE601.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
<-- this file
C:\WINDOWS\system32\xpsp2fw.exe <-- this file
C:\WINDOWS\System32\tibs3.exe <-- this file
C:\WINDOWS\system32\rxextpdl.exe <-- this file
C:\WINDOWS\system32\1agte.exe <-- this file
C:\WINDOWS\system32\dvDLco.exe <-- this file
C:\WINDOWS\system32\oxxvi.exe <-- this file
C:\WINDOWS\system32\pcutmuth.exe <-- this file
C:\WINDOWS\system32\1agtmp.exe <-- this file
C:\WINDOWS\system32\pcvutpst.exe <-- this file
C:\WINDOWS\system32\uthzat.exe <-- this file
C:\WINDOWS\system32\1agDDCs20.exe <-- this file
C:\WINDOWS\system32\svcludmpa.exe <-- this file
C:\WINDOWS\system32\aappmg.exe <-- this file
C:\WINDOWS\system32\vifctlatim.exe <-- this file
C:\WINDOWS\system32\atsrvsbr.exe <-- this file
C:\WINDOWS\system32\exaco3Dq3.exe <-- this file
C:\WINDOWS\system32\resTrus.exe <-- this file
C:\WINDOWS\system32\acluvpcfg.exe <-- this file
C:\WINDOWS\system32\eamudio.exe <-- this file
C:\WINDOWS\system32\awClasass.exe <-- this file
C:\WINDOWS\system32\uagwse.exe <-- this file
C:\WINDOWS\system32\dispwse.exe <-- this file
C:\WINDOWS\system32\asfilcPas.exe <-- this file
C:\WINDOWS\system32\wuclient.exe <-- this file

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 akryte

akryte
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 12 January 2005 - 10:28 PM

First of all, Thank You for the help. I did everything you asked and here is my new log.

Logfile of HijackThis v1.99.0
Scan saved at 7:24:04 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\MMaestro\BWheel35.exe
C:\WINDOWS\system32\pcutmuth.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKLM\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKLM\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKLM\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKLM\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKLM\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKLM\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKLM\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKLM\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKLM\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKLM\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKLM\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKLM\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKLM\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKLM\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKLM\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKLM\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKLM\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKLM\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKLM\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKLM\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe
O4 - HKLM\..\Run: [CBAC4553] C:\WINDOWS\system32\auserciad.exe
O4 - HKLM\..\Run: [4190CFDE] C:\WINDOWS\system32\chsc3d.exe
O4 - HKLM\..\Run: [CB9C676E] C:\WINDOWS\system32\ti2wsjmo.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CBAC4553] C:\WINDOWS\system32\auserciad.exe
O4 - HKCU\..\Run: [4190CFDE] C:\WINDOWS\system32\chsc3d.exe
O4 - HKCU\..\Run: [CB9C676E] C:\WINDOWS\system32\ti2wsjmo.exe
O4 - HKCU\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105149942671
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:06 PM

Posted 13 January 2005 - 03:57 PM

Hi

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.

1. Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\pcutmuth.exe

Click the "Delete File" button which looks like a stop sign.
A first dialog box will ask if you want to to replace the file on Reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the NO button.

REPEAT the steps for these files:
(Don't forget to check each time the "Use Dummy" box)

C:\WINDOWS\system32\rxextpdl.exe

C:\WINDOWS\system32\1agte.exe

C:\WINDOWS\system32\dvDLco.exe

C:\WINDOWS\system32\oxxvi.exe

C:\WINDOWS\system32\pcutmuth.exe

C:\WINDOWS\system32\1agtmp.exe

C:\WINDOWS\system32\pcvutpst.exe

C:\WINDOWS\system32\uthzat.exe

C:\WINDOWS\system32\1agDDCs20.exe

C:\WINDOWS\system32\svcludmpa.exe

C:\WINDOWS\system32\aappmg.exe

C:\WINDOWS\system32\vifctlatim.exe

C:\WINDOWS\system32\atsrvsbr.exe

C:\WINDOWS\system32\exaco3Dq3.exe

C:\WINDOWS\system32\resTrus.exe

C:\WINDOWS\system32\acluvpcfg.exe

C:\WINDOWS\system32\eamudio.exe

C:\WINDOWS\system32\awClasass.exe

C:\WINDOWS\system32\uagwse.exe

C:\WINDOWS\system32\dispwse.exe

C:\WINDOWS\system32\asfilcPas.exe

C:\WINDOWS\system32\auserciad.exe

C:\WINDOWS\system32\chsc3d.exe



2. Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\ti2wsjmo.exe

Click the "Delete File" button which looks like a stop sign.
A first dialog box will ask if you want to to replace the file on Reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Post please a new hijackthis log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 akryte

akryte
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 13 January 2005 - 07:20 PM

Here is my new log:

Logfile of HijackThis v1.99.0
Scan saved at 4:18:37 PM, on 1/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKLM\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKLM\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKLM\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKLM\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKLM\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKLM\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKLM\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKLM\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKLM\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKLM\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKLM\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKLM\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKLM\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKLM\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKLM\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKLM\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKLM\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKLM\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKLM\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKLM\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe
O4 - HKLM\..\Run: [CBAC4553] C:\WINDOWS\system32\auserciad.exe
O4 - HKLM\..\Run: [4190CFDE] C:\WINDOWS\system32\chsc3d.exe
O4 - HKLM\..\Run: [CB9C676E] C:\WINDOWS\system32\ti2wsjmo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CBAC4553] C:\WINDOWS\system32\auserciad.exe
O4 - HKCU\..\Run: [4190CFDE] C:\WINDOWS\system32\chsc3d.exe
O4 - HKCU\..\Run: [CB9C676E] C:\WINDOWS\system32\ti2wsjmo.exe
O4 - HKCU\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKCU\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105149942671
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:06 PM

Posted 13 January 2005 - 07:24 PM

Looks good. :thumbsup:

Run HijackThis!, press Scan, and put a check mark next to all these:

O4 - HKLM\..\Run: [EBF244F3] C:\WINDOWS\system32\rxextpdl.exe
O4 - HKLM\..\Run: [BD6D4CF6] C:\WINDOWS\system32\1agte.exe
O4 - HKLM\..\Run: [836C14C3] C:\WINDOWS\system32\dvDLco.exe
O4 - HKLM\..\Run: [E00791F3] C:\WINDOWS\system32\oxxvi.exe
O4 - HKLM\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe
O4 - HKLM\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKLM\..\Run: [BC7F3CF3] C:\WINDOWS\system32\pcvutpst.exe
O4 - HKLM\..\Run: [043CCC8E] C:\WINDOWS\system32\uthzat.exe
O4 - HKLM\..\Run: [FA6D06F6] C:\WINDOWS\system32\1agDDCs20.exe
O4 - HKLM\..\Run: [AADBAB6E] C:\WINDOWS\system32\svcludmpa.exe
O4 - HKLM\..\Run: [BDAD94D3] C:\WINDOWS\system32\aappmg.exe
O4 - HKLM\..\Run: [9389E4C6] C:\WINDOWS\system32\vifctlatim.exe
O4 - HKLM\..\Run: [CE8C515E] C:\WINDOWS\system32\atsrvsbr.exe
O4 - HKLM\..\Run: [4C1905E6] C:\WINDOWS\system32\exaco3Dq3.exe
O4 - HKLM\..\Run: [5185E4F6] C:\WINDOWS\system32\resTrus.exe
O4 - HKLM\..\Run: [8A8D9F53] C:\WINDOWS\system32\acluvpcfg.exe
O4 - HKLM\..\Run: [DCE9C06E] C:\WINDOWS\system32\eamudio.exe
O4 - HKLM\..\Run: [997B857E] C:\WINDOWS\system32\awClasass.exe
O4 - HKLM\..\Run: [0AB56706] C:\WINDOWS\system32\uagwse.exe
O4 - HKLM\..\Run: [A086854B] C:\WINDOWS\system32\dispwse.exe
O4 - HKLM\..\Run: [4442556E] C:\WINDOWS\system32\asfilcPas.exe
O4 - HKLM\..\Run: [CBAC4553] C:\WINDOWS\system32\auserciad.exe
O4 - HKLM\..\Run: [4190CFDE] C:\WINDOWS\system32\chsc3d.exe
O4 - HKLM\..\Run: [CB9C676E] C:\WINDOWS\system32\ti2wsjmo.exe
O4 - HKCU\..\Run: [CBAC4553] C:\WINDOWS\system32\auserciad.exe
O4 - HKCU\..\Run: [4190CFDE] C:\WINDOWS\system32\chsc3d.exe
O4 - HKCU\..\Run: [CB9C676E] C:\WINDOWS\system32\ti2wsjmo.exe
O4 - HKCU\..\Run: [AAAD51D3] C:\WINDOWS\system32\1agtmp.exe
O4 - HKCU\..\Run: [FB56176B] C:\WINDOWS\system32\pcutmuth.exe

O15 - Trusted Zone: http://*.69sexsearch.com


Close all other windows and browsers, and press the Fix Checked button.

REBOOT your machine and post a new log please.

Edited by Daisuke, 13 January 2005 - 07:25 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 akryte

akryte
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 14 January 2005 - 08:40 PM

:thumbsup: Here is my new log:

Logfile of HijackThis v1.99.0
Scan saved at 5:38:52 PM, on 1/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105149942671
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:06 PM

Posted 15 January 2005 - 05:15 AM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.


Update Sun Java: latest version = J2SE v 1.4.2_06 JRE - http://java.sun.com/j2se/1.4.2/download.html
Version 1.4.2_04 is vulnerable.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 akryte

akryte
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 15 January 2005 - 11:05 AM

Thank you Daisuke for all your help. It's so nice that there are people like you that are willing to give up their own time to help other people out. Thanks again!!

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:06 PM

Posted 15 January 2005 - 05:24 PM

You're Welcome ! Happy surfing :thumbsup:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users