jay888
-
Content Count
22 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by jay888
-
-
I need a new HJT log too.
Logfile of HijackThis v1.99.1
Scan saved at 9:46:53 PM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b2b97a9f-be18-4840-92c8-dc2f5747fc91} - C:\WINDOWS\system32\logp32.dll (file missing)
O2 - BHO: (no name) - {E5D1E8C2-677A-49C7-9D36-486CC23AD677} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: UCS Shared Browser Helper Object - {F1D49A84-8656-43ce-AE3D-AABC1A12243E} - C:\WINDOWS\system32\BhoUCS.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] "C:\Program Files\QUICKENW\QAGENT.EXE"
O4 - HKLM\..\Run: [uFD Monitor] "C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe"
O4 - HKLM\..\Run: [uFD Utility] "C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
O4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
O4 - HKLM\..\Run: [LogitechImageStudioTray] "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] "C:\Program Files\Virtual Account Numbers\CitiUCS.exe" /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: logp32 - logp32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wintqh32 - wintqh32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
-
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post with a new HJT log.
Thanks, here is the log.
AC3Filter (remove only)
Ad-aware 6 Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Illustrator 10
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.7
Adobe Reader Japanese Fonts
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
ALPS Touch Pad Driver
America Online
Apache2Triad: Apache2Triad - apache server bunndle (remove only)
Aspi Installer
AudibleManager
Britannica Ready Reference
BroadJump Client Foundation
ccCommon
CloneCD
C-Major Audio
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative Zen Nano Plus
Cubis Gold
DAO
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
Dell TrueMobile 1300 WLAN Mini-PCI Card
Direct Show Ogg Vorbis Filter (remove only)
DivX ;-) Audio Compressor 4.02
DVDSentry
E90 Screen Saver
EarthLink Setup Files
Easy CD Creator 5 Basic
ewido anti-spyware 4.0
Focus 2000
GogoPenQPad
Google Talk (remove only)
Google Toolbar for Internet Explorer
Hexic Deluxe
HijackThis 1.99.1
HP PSC & OfficeJet 5.3.B
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Worm Protection
InterVideo WinDVD
ItsDeductible Express
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.2_10
Lexus GS ScreenSaver1
Lexus IS ScreenSaver1
Linksys Viewer & Recorder Utility
LiveReg (Symantec Corporation)
LiveUpdate 2.7 (Symantec Corporation)
Logitech ImageStudio
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia FreeHand 10
Meetro 0.92 beta
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Location Finder
Microsoft Office XP Professional with FrontPage
Microsoft Streets & Trips 2006 with GPS Locator
Microsoft Windows Journal Viewer
Modem Helper
Mozilla Firefox (1.5.0.6)
MSN Messenger 7.5
MSN Money Investment Toolbox
MSN Music Assistant
Musicmatch® Jukebox
NAVShortcut
Nero 6 Ultra Edition
NetBeans IDE 4.1
NJStar Communicator
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
Paint Shop Pro 7
palmOne
Panda ActiveScan
PB 5.0 Deployment Kit for Intel 32
PCTEL 2304WT V.92 MDC Modem Drivers
PeopleSoft Library
PowerBuilder 5.0 Enterprise for Intel 32
Quicken 2002 New User Edition
QuickSet
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
ShellExView
Skype (BETA)
Smart Audio Converter
SmartSoft Video Converter
SonicWALL Global VPN Client
SPBBC
Spy Sweeper
Spybot - Search & Destroy 1.2
Spyware Remover
SurfSecret DVD Rip and Burn 2.12
Symantec
SymNet
TextPad 4.7
TurboTax Deluxe 2005
TurboTax Premier 2004
TurboTax Premier Home & Business 2003
Ulead GIF Animator 5 TBYB
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
USB2.0 PC Camera (SN9C201&202)
Viewpoint Manager (Remove Only)
Virtual Account Numbers
Visual IP InSight(SBC)
VNC Free Edition 4.1.1
WexTech AnswerWorks
Winamp (remove only)
WinAVI VideoConverter
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPcap 3.1 beta3
WinRAR archiver
WinZip
WordPerfect Office 11
WriteExpress 3,001 Business & Sales Letters
XviD MPEG-4 Video Codec
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v7
Yahoo! Toolbar
-
Since msg for HJ Log got cut off, here is another post.
Logfile of HijackThis v1.99.1
Scan saved at 5:20:49 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\tsnp2std.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b2b97a9f-be18-4840-92c8-dc2f5747fc91} - C:\WINDOWS\system32\logp32.dll (file missing)
O2 - BHO: (no name) - {E5D1E8C2-677A-49C7-9D36-486CC23AD677} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: UCS Shared Browser Helper Object - {F1D49A84-8656-43ce-AE3D-AABC1A12243E} - C:\WINDOWS\system32\BhoUCS.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] "C:\Program Files\QUICKENW\QAGENT.EXE"
O4 - HKLM\..\Run: [uFD Monitor] "C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe"
O4 - HKLM\..\Run: [uFD Utility] "C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
O4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
O4 - HKLM\..\Run: [LogitechImageStudioTray] "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] "C:\Program Files\Virtual Account Numbers\CitiUCS.exe" /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: logp32 - logp32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wintqh32 - wintqh32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
-
Hello ... let's do a quick sweep up first. You have a lot of stuff (not all bad stuff just ... stuff...)
Can you please tell me what symptom you are having?
Let's get started .. you may want to print this out.
STEP 1:
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
- Double-click sspsetup1.exe to install it.
- Before installation it may ask you to check for program updates. Click YES.
Then finish installation leaving all the default options. - Once the program is installed, it will ask if you wish to reboot now choose YES.
- After reboot, open SpySweeper, by double-clicking the icon on your desktop.
- Click Options on the left side.
- Click the Sweep tab.
- Under Items to Sweep make sure the following are checked:
- Windows registry
- Memory objects
- Cookies
- Compressed Files
- System Restore Folder
[*]Under Other Options make sure the following are checked:
- Sweep all user accounts
- Enable Direct Disk Sweeping
- Sweep for rootkits
[*]Click the Sweep button on the left side.
[*]Click the Start Sweep button.
[*]When it's done scanning, make sure everything has a check next to it, then click the Quarantine Selected button.
[*]It will quarantine all of the items found.
[*]Click View Session Log in the right corner above the box where the items are listed.
[*]Click Save to File and save it on your desktop.
[*]Exit SpySweeper.
[*]Paste the contents of the session log you saved into your next reply (Spy Sweeper Session Log.txt).
[*]NOTE: you can get to the log by clicking Options on the left. Then, View Session Log will be listed under Other Options.
STEP 2:
Please go HERE to run Panda's ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
STEP 3:
Please post all the requested logs alon with a new HJT log. Thanks!
I am so happy to clean my laptop, the symptom is when I use IE, sometimes it crash, freeze, popup another instance of IE, and my computer stop responding and I have to end task. Firefox works fine without problem.
Here is the Log in the order you requested. Thanks so much!
2:54 PM: Removal process completed. Elapsed time 00:15:53
2:54 PM: A reboot was required but declined.
2:50 PM: Quarantining All Traces: zedo cookie
2:50 PM: Quarantining All Traces: winantiviruspro cookie
2:50 PM: Quarantining All Traces: myaffiliateprogram.com cookie
2:50 PM: Quarantining All Traces: videodome cookie
2:50 PM: Quarantining All Traces: tribalfusion cookie
2:50 PM: Quarantining All Traces: webtrendslive cookie
2:50 PM: Quarantining All Traces: reliablestats cookie
2:50 PM: Quarantining All Traces: questionmarket cookie
2:50 PM: Quarantining All Traces: mediaplex cookie
2:50 PM: Quarantining All Traces: maxserving cookie
2:50 PM: Quarantining All Traces: dealtime cookie
2:50 PM: Quarantining All Traces: exitexchange cookie
2:50 PM: Quarantining All Traces: casalemedia cookie
2:50 PM: Quarantining All Traces: atlas dmt cookie
2:50 PM: Quarantining All Traces: advertising cookie
2:50 PM: Quarantining All Traces: adrevolver cookie
2:50 PM: Quarantining All Traces: adprofile cookie
2:50 PM: Quarantining All Traces: specificclick.com cookie
2:50 PM: Quarantining All Traces: websponsors cookie
2:50 PM: Quarantining All Traces: mytemplatestorage cookie
2:49 PM: Quarantining All Traces: realmedia cookie
2:49 PM: Quarantining All Traces: rn11 cookie
2:49 PM: Quarantining All Traces: belnk cookie
2:49 PM: Quarantining All Traces: delfinproject cookie
2:49 PM: Quarantining All Traces: cardomain cookie
2:49 PM: Quarantining All Traces: atwola cookie
2:49 PM: Quarantining All Traces: apmebf cookie
2:49 PM: Quarantining All Traces: hotbar cookie
2:49 PM: Quarantining All Traces: hbmediapro cookie
2:49 PM: Quarantining All Traces: adknowledge cookie
2:49 PM: Quarantining All Traces: about cookie
2:49 PM: Quarantining All Traces: browseraid
2:49 PM: Quarantining All Traces: spyware quake
2:49 PM: Quarantining All Traces: prosearch.com hijack
2:49 PM: Quarantining All Traces: cws_meup
2:49 PM: Quarantining All Traces: winantivirus pro
2:48 PM: Quarantining All Traces: coolwebsearch (cws)
2:48 PM: Quarantining All Traces: delfin
2:48 PM: Quarantining All Traces: easyerror
2:48 PM: Quarantining All Traces: spad
2:48 PM: Quarantining All Traces: heretofind
2:48 PM: Quarantining All Traces: childoleauto
2:48 PM: Quarantining All Traces: apropos
2:48 PM: Quarantining All Traces: trojan-downloader-zlob
2:48 PM: Quarantining All Traces: cws-aboutblank
2:48 PM: Quarantining All Traces: msn sniffer
2:48 PM: Quarantining All Traces: popuper
2:48 PM: Quarantining All Traces: trojan-downloader-conhook
2:48 PM: Quarantining All Traces: trojan agent winlogonhook
2:48 PM: Quarantining All Traces: security2k hijacker
2:48 PM: C:\WINDOWS\SYSTEM32\geedc.dll is in use. It will be removed on reboot.
2:48 PM: virtumonde is in use. It will be removed on reboot.
2:40 PM: Quarantining All Traces: virtumonde
2:40 PM: Quarantining All Traces: trojan-downloader-2pursuit
2:38 PM: Removal process initiated
2:31 PM: Traces Found: 168
2:31 PM: Full Sweep has completed. Elapsed time 05:44:06
2:31 PM: File Sweep Complete, Elapsed Time: 05:35:35
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo joypolis (sega amusement park)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\border_orange.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i6event.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i8museum.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i4urban.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i3excu.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i2tokyo.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i1check.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\border_orange.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_site_s.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_tcvb_s.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_press_s.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_conve_s.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_hot_s.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\arrow2.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\arrow3.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\arrow2.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\arrow3.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\spacer.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\spacer(1).gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\sight_e.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\map_e.gif (ID = 0)
1:20 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\dining_e.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\b-spacer.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\tower.jpg (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\kaminari.jpg (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\akihabara.jpg (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\nakamise.jpg (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\barbecue.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\imp-pp.jpg (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\garden.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\logo_top.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\top_pict_s.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_tourist_s.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_vis_s.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\touristinfo.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i7recommend_g.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i7photo.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\i7_title.gif (ID = 0)
1:19 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\wt4.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\wt4_files\tcvb.css (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\diet.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\sumida2.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\nakamise.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\kaminari.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\ginza.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\ginza.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\n-odaiba.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo joypolis (sega amusement park)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_tourist_s.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\etitlea100.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo joypolis (sega amusement park)\yes!tokyo - tokyo convention & visitors bureau_files\set04_files\i7recommend_g.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\tokyo_e.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\style.css (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\kanto_back.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\i.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\h800s.js (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\f800.js (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\booking\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\ad_files\mob_files\keitai.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\booking\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\ad_files\vjh_files\vjh.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\130402tokyochuusinbu.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\130401tokyochuusinbu.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\ad_files\mob_files\keitai.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\ad_files\vjh_files\vjh.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\2003.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\ad_files\mob_files\keitai.jpg (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\ad_files\vjh_files\vjh.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\full day\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\2003.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_guide_s.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention & visitors bureau_files\head2_files\ind_lod_s.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\japan national tourist organization website\central tokyo (imperial palace - kasumigaseki - marunouchi)\jnto website regional tourist guides_files\h800_rtg.js (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\imperial.gif (ID = 0)
1:18 PM: c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\sightseeing spots\tour\late night\-travel agency in japan- jtb sunrisetour offers english tours, hotel and ryokan in japan_files\top_files\sunrise_detail_files\sukiyaki.gif (ID = 0)
1:18 PM: Found System Monitor: potentially rootkit-masked files
1:18 PM: Warning: Failed to access drive E:
1:14 PM: Warning: Failed to open file "c:\documents and settings\coco\application data\skype\jay_88828\chat256.dbb". The operation completed successfully
1:13 PM: Warning: Failed to open file "c:\documents and settings\coco\local settings\temp\jetee87.tmp". The operation completed successfully
1:12 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042973.lnk". The operation completed successfully
1:12 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042922.lnk". The operation completed successfully
1:11 PM: Warning: Failed to open file "c:\documents and settings\coco\cookies\[email protected][2].txt". The operation completed successfully
1:08 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042969.lnk". The operation completed successfully
1:08 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042974.lnk". The operation completed successfully
1:08 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042927.lnk". The operation completed successfully
1:08 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042961.lnk". The operation completed successfully
1:07 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042941.ini". The operation completed successfully
1:07 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\rp.log". The operation completed successfully
1:07 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042993.ini". The operation completed successfully
1:07 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042967.lnk". The operation completed successfully
1:04 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042917.lnk". The operation completed successfully
1:04 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042896.lnk". The operation completed successfully
1:04 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042916.lnk". The operation completed successfully
1:03 PM: Warning: Failed to open file "c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention visitors bureau_files\wt4_files\i2tokyo.gif". The operation completed successfully
1:03 PM: Warning: Failed to open file "c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention visitors bureau_files\wt4_files\i1check.gif". The operation completed successfully
1:03 PM: Warning: Failed to open file "c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention visitors bureau_files\head2_files\ind_press_s.gif". The operation completed successfully
1:03 PM: Warning: Failed to open file "c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention visitors bureau_files\head2_files\ind_conve_s.gif". The operation completed successfully
1:03 PM: Warning: Failed to open file "c:\documents and settings\coco\my documents\my pictures\sony image transfer\tokyo-hk-vacation\tokyo\things to do\tcvb recommendation spot!!!\tokyo metropolitan government offices (up 55 seconds)\yes!tokyo - tokyo convention visitors bureau_files\head2_files\ind_hot_s.gif". The operation completed successfully
1:00 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042928.lnk". The operation completed successfully
12:44 PM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\snapshot\_registry_machine_system". The operation completed successfully
12:38 PM: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0048740.exe (ID = 305008)
12:33 PM: c:\windows\downloaded program files\uwa6p_0001_n91m1807netinstaller.exe (ID = 327827)
12:33 PM: Found Adware: winantivirus pro
12:11 PM: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0048736.exe (ID = 408)
12:11 PM: Found Trojan Horse: trojan-downloader-zlob
11:48 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042894.vxd". "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042894.vxd": File not found
11:35 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042895.dll". "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042895.dll": File not found
10:32 AM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\change.log.5". The operation completed successfully
10:31 AM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042958.data". The operation completed successfully
10:22 AM: Warning: Failed to open file "c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp193\a0042970.lnk". The operation completed successfully
9:34 AM: IE Security Shield: found: C:\WINDOWS\SYSTEM32\MKPMARWL.EXE -- IE Security modification denied
9:29 AM: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP211\A0045512.exe (ID = 298057)
9:17 AM: C:\Program Files\Microsoft AntiSpyware\Quarantine\46FEA5A4-8701-4EDF-A1B5-37FB34\7BE2E4B7-C5BD-4BF5-A8D7-261D03 (ID = 312696)
9:11 AM: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP211\A0045513.ini (ID = 298068)
9:10 AM: C:\WINDOWS\SYSTEM32\wecxg32.dll (ID = 54008)
9:10 AM: C:\WINDOWS\SYSTEM32\zxmsn.dll (ID = 54008)
9:08 AM: C:\WINDOWS\SYSTEM32\gupd.dll (ID = 54008)
9:08 AM: C:\WINDOWS\SYSTEM32\cidpoq32.dll (ID = 54008)
9:06 AM: C:\WINDOWS\SYSTEM32\cidft.dll (ID = 54008)
9:06 AM: C:\WINDOWS\SYSTEM32\sdfup.dll (ID = 54008)
9:06 AM: C:\WINDOWS\SYSTEM32\xcwer32.dll (ID = 54008)
9:06 AM: C:\WINDOWS\SYSTEM32\icvbr.dll (ID = 54008)
9:06 AM: C:\WINDOWS\SYSTEM32\icqrt.dll (ID = 54187)
9:06 AM: C:\WINDOWS\SYSTEM32\icnfe.dll (ID = 54008)
9:06 AM: Found Adware: coolwebsearch (cws)
8:58 AM: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP211\A0045516.lnk (ID = 288513)
8:56 AM: C:\Documents and Settings\CoCo\Local Settings\Temp\~DlfnTmp3 (1 subtraces) (ID = 2147486173)
8:56 AM: C:\Documents and Settings\CoCo\Local Settings\Temp\~DlfnTmp2 (1 subtraces) (ID = 2147486172)
8:56 AM: C:\Documents and Settings\CoCo\Local Settings\Temp\~DlfnTmp4 (1 subtraces) (ID = 2147486174)
8:56 AM: Found Adware: delfin
8:55 AM: Starting File Sweep
8:55 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03
8:55 AM: c:\documents and settings\coco\cookies\coco@zedo[2].txt (ID = 3762)
8:55 AM: Found Spy Cookie: zedo cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][2].txt (ID = 3690)
8:55 AM: Found Spy Cookie: winantiviruspro cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][1].txt (ID = 3032)
8:55 AM: Found Spy Cookie: myaffiliateprogram.com cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@videodome[1].txt (ID = 3638)
8:55 AM: Found Spy Cookie: videodome cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@tribalfusion[1].txt (ID = 3589)
8:55 AM: Found Spy Cookie: tribalfusion cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][2].txt (ID = 3667)
8:55 AM: Found Spy Cookie: webtrendslive cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][3].txt (ID = 3254)
8:55 AM: c:\documents and settings\coco\cookies\[email protected][1].txt (ID = 3254)
8:55 AM: Found Spy Cookie: reliablestats cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@realmedia[2].txt (ID = 3235)
8:55 AM: c:\documents and settings\coco\cookies\coco@questionmarket[1].txt (ID = 3217)
8:55 AM: Found Spy Cookie: questionmarket cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][1].txt (ID = 3236)
8:55 AM: c:\documents and settings\coco\cookies\coco@mediaplex[1].txt (ID = 6442)
8:55 AM: Found Spy Cookie: mediaplex cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@maxserving[1].txt (ID = 2966)
8:55 AM: Found Spy Cookie: maxserving cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@exitexchange[2].txt (ID = 2633)
8:55 AM: c:\documents and settings\coco\cookies\coco@dealtime[2].txt (ID = 2505)
8:55 AM: Found Spy Cookie: dealtime cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][1].txt (ID = 2634)
8:55 AM: c:\documents and settings\coco\cookies\[email protected][1].txt (ID = 2634)
8:55 AM: Found Spy Cookie: exitexchange cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@casalemedia[2].txt (ID = 2354)
8:55 AM: Found Spy Cookie: casalemedia cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@atdmt[2].txt (ID = 2253)
8:55 AM: Found Spy Cookie: atlas dmt cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@advertising[1].txt (ID = 2175)
8:55 AM: Found Spy Cookie: advertising cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@adrevolver[1].txt (ID = 2088)
8:55 AM: Found Spy Cookie: adrevolver cookie
8:55 AM: c:\documents and settings\coco\cookies\coco@adprofile[2].txt (ID = 2084)
8:55 AM: Found Spy Cookie: adprofile cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][2].txt (ID = 3400)
8:55 AM: Found Spy Cookie: specificclick.com cookie
8:55 AM: c:\documents and settings\coco\cookies\[email protected][2].txt (ID = 3665)
8:55 AM: Found Spy Cookie: websponsors cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][1].txt (ID = 3050)
8:55 AM: Found Spy Cookie: mytemplatestorage cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][2].txt (ID = 2038)
8:55 AM: c:\documents and settings\jessica\cookies\jessica@realmedia[2].txt (ID = 3235)
8:55 AM: Found Spy Cookie: realmedia cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][1].txt (ID = 2038)
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][2].txt (ID = 3262)
8:55 AM: Found Spy Cookie: rn11 cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][2].txt (ID = 2293)
8:55 AM: Found Spy Cookie: belnk cookie
8:55 AM: c:\documents and settings\jessica\cookies\jessica@delfinproject[1].txt (ID = 2509)
8:55 AM: Found Spy Cookie: delfinproject cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][1].txt (ID = 2038)
8:55 AM: c:\documents and settings\jessica\cookies\jessica@cardomain[2].txt (ID = 2350)
8:55 AM: Found Spy Cookie: cardomain cookie
8:55 AM: c:\documents and settings\jessica\cookies\jessica@atwola[1].txt (ID = 2255)
8:55 AM: Found Spy Cookie: atwola cookie
8:55 AM: c:\documents and settings\jessica\cookies\jessica@apmebf[1].txt (ID = 2229)
8:55 AM: Found Spy Cookie: apmebf cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][1].txt (ID = 4207)
8:55 AM: Found Spy Cookie: hotbar cookie
8:55 AM: c:\documents and settings\jessica\cookies\[email protected][2].txt (ID = 2768)
8:55 AM: Found Spy Cookie: hbmediapro cookie
8:55 AM: c:\documents and settings\jessica\cookies\jessica@adknowledge[1].txt (ID = 2072)
8:55 AM: Found Spy Cookie: adknowledge cookie
8:55 AM: c:\documents and settings\jessica\cookies\jessica@about[1].txt (ID = 2037)
8:55 AM: Found Spy Cookie: about cookie
8:55 AM: Starting Cookie Sweep
8:55 AM: Registry Sweep Complete, Elapsed Time:00:00:52
8:55 AM: HKU\S-1-5-21-894892478-1671654027-2876248559-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
8:55 AM: HKU\S-1-5-21-894892478-1671654027-2876248559-1007\software\classes\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (ID = 127116)
8:55 AM: HKU\S-1-5-21-894892478-1671654027-2876248559-1007\software\microsoft\internet explorer\extensions\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (ID = 127080)
8:55 AM: HKU\S-1-5-21-894892478-1671654027-2876248559-1007\software\microsoft\internet explorer\extensions\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (ID = 127080)
8:55 AM: HKU\S-1-5-21-894892478-1671654027-2876248559-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
8:55 AM: Found Adware: cws-aboutblank
8:55 AM: HKU\S-1-5-21-894892478-1671654027-2876248559-1007\software\microsoft\windows\currentversion\updt\ (ID = 105189)
8:55 AM: Found Adware: browseraid
8:55 AM: HKLM\software\classes\clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\ (ID = 1571509)
8:55 AM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {259ba022-2005-45e9-a965-10edb9c00605} (ID = 1538921)
8:55 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{062492af-392e-479d-bf52-a7a4bca00307}\ (ID = 1538630)
8:55 AM: HKLM\software\classes\clsid\{062492af-392e-479d-bf52-a7a4bca00307}\ (ID = 1538618)
8:55 AM: HKCR\clsid\{062492af-392e-479d-bf52-a7a4bca00307}\ (ID = 1538606)
8:55 AM: HKLM\software\microsoft\rasap2k\ (ID = 1511572)
8:55 AM: HKLM\software\microsoft\dstr5\ (ID = 1511570)
8:55 AM: HKLM\software\microsoft\windows\currentversion\uninstall\msn sniffer v1.2 evaluation version \ (ID = 1509875)
8:55 AM: Found System Monitor: msn sniffer
8:55 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\{686a161d-5bd1-4999-8832-6393f41e564c}\ (ID = 1505707)
8:55 AM: Found Adware: popuper
8:55 AM: HKLM\software\classes\typelib\{5cb9686d-cc21-4927-b904-d91d4479f4bd}\ (ID = 1496911)
8:55 AM: HKCR\typelib\{5cb9686d-cc21-4927-b904-d91d4479f4bd}\ (ID = 1496901)
8:55 AM: Found Adware: spyware quake
8:55 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32\ (ID = 1252409)
8:55 AM: HKLM\software\microsoft\internet explorer\main\ || search page_bak (ID = 1250789)
8:55 AM: Found Adware: prosearch.com hijack
8:55 AM: HKLM\software\classes\clsid\{0b5f7fdf-0717-45bf-b49d-695f3168c7fe}\ (ID = 1149560)
8:55 AM: HKCR\clsid\{0b5f7fdf-0717-45bf-b49d-695f3168c7fe}\ (ID = 1149518)
8:55 AM: Found Adware: easyerror
8:55 AM: HKLM\system\currentcontrolset\services\dp1112\ (ID = 1138322)
8:55 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\geedc\ (ID = 1125293)
8:55 AM: Found Trojan Horse: trojan-downloader-conhook
8:54 AM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
8:54 AM: Found Trojan Horse: trojan agent winlogonhook
8:54 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (ID = 735573)
8:54 AM: Found Adware: security2k hijacker
8:54 AM: HKLM\software\classes\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (ID = 127120)
8:54 AM: HKCR\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (ID = 127065)
8:54 AM: Found Adware: spad
8:54 AM: HKCR\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (ID = 127065)
8:54 AM: Found Adware: heretofind
8:54 AM: HKCR\clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\ (ID = 105493)
8:54 AM: Found Trojan Horse: childoleauto
8:54 AM: HKLM\software\classes\interface\{a2872b10-39f2-42df-9335-7dd38cf75255}\ (ID = 103771)
8:54 AM: HKCR\clsid\{a2872b10-39f2-42df-9335-7dd38cf75255}\ (ID = 103725)
8:54 AM: Found Adware: apropos
8:54 AM: Starting Registry Sweep
8:54 AM: Memory Sweep Complete, Elapsed Time: 00:07:10
8:48 AM: Detected running threat: C:\WINDOWS\SYSTEM32\geedc.dll (ID = 394)
8:48 AM: Found Adware: virtumonde
8:47 AM: Starting Memory Sweep
8:47 AM: HKLM\software\classes\clsid\{062492af-392e-479d-bf52-a7a4bca00307}\inprocserver32\ (ID = 1560802)
8:47 AM: HKCR\clsid\{062492af-392e-479d-bf52-a7a4bca00307}\inprocserver32\ (ID = 1560801)
8:47 AM: Found Adware: cws_meup
8:47 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32\ || dllname (ID = 1538933)
8:47 AM: Found Trojan Horse: trojan-downloader-2pursuit
8:47 AM: Sweep initiated using definitions version 741
8:47 AM: Spy Sweeper 5.0.5.1286 started
8:47 AM: | Start of Session, Wednesday, August 16, 2006 |
********
8:47 AM: | End of Session, Wednesday, August 16, 2006 |
8:45 AM: Your spyware definitions have been updated.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:34 AM: Shield States
8:33 AM: Spyware Definitions: 691
8:32 AM: Spy Sweeper 5.0.5.1286 started
8:32 AM: Spy Sweeper 5.0.5.1286 started
8:32 AM: | Start of Session, Wednesday, August 16, 2006 |
********
=====================================================
Panda's active scan log
=====================================================
Incident Status Location
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UDC6_0001_D18M1108NetInstaller.exe
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/alibabar Not disinfected Windows Registry
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\CoCo\Application Data\Mozilla\Firefox\Profiles\3d8cvnbg.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@bfast[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt
============================================
New HJThis Log
============================================
Logfile of HijackThis v1.99.1
Scan saved at 5:20:49 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Pr
- Double-click sspsetup1.exe to install it.
-
Hello jay888. Matt had to leave without notice and along the way your log kinda fell through a crack.... Soooo you have the honor of switching helpers! (again )
If you are still here, please post a new HJT log if you need help, thanks.
Thanks alot I am so glad you can help me, I was thinking to reinstall os as a last resort...
Logfile of HijackThis v1.99.1
Scan saved at 10:20:07 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
-
Congrats! Your log is clean!
How is your system running?
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
- Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.
- Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
- AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
- SpywareBlaster - Great prevention tool to keep malware from installing on your system.
- SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
- IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
- ATF Cleaner - Cleans temporary files from web browsers, and much more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this guide on safer computing.
Hi Matt,
I am very sorry to tell you that I am still infected. I know what cause this, I install some application download online, and the application was opening some dos prompt and trying execute something, that cause all these pop up.
Please help, my computer is still infected.
- Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.
-
Welcome back
Please scan with HJT and place a check next to the following item:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.
Please download FileFind from Atribune.
Unzip the file and save it to your desktop.
To run FileFind, please do the following:
- Click on FileFind.exe
- In the box labeled "Directory"
- Enter Drive eg.. C:\WINDOWS\system32\
[*]In the box labeled "File"
- Enter chkdsk.dll
[*]Now click on the "Search" button
[*]Once the utility has found the files click on "Export"
[*]A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
[*]NOTE: The notepad is saved on your C:\ drive as "Export.txt"
- Enter Drive eg.. C:\WINDOWS\system32\
Repeat those steps with the following file as well:
notepad.dll
Matt
Hi Matt,
I did deleted the R3 entry in HJT, so I follow the step to use filefind program to search for both .dll file, none of it can be find in the window\system32 directory...
So, I scan with HJT just in case u may want to read it.
Logfile of HijackThis v1.99.1
Scan saved at 9:56:59 AM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Video Camera\Linksys Viewer & Recorder Utility.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
- Click on FileFind.exe
-
Welcome back!
Please scan with HJT and place a check next to the following item:
O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll
Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.
Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\chkdsk.dll
C:\WINDOWS\system32\notepad.dll
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
- Delete on Reboot
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Run another Ewido scan.
Post back the Ewido report and a new HJT log.
Matt
Hi, I got PendingFileRenameOperations prompt on both file.
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:42:43 AM 7/21/2006
+ Scan result:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0050204.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0048732.dll -> Not-A-Virus.Hoax.Win32.Renos.dt : No action taken.
C:\apache2\opssl\bin\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jessica\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Jessica\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@valueclick[1].txt -> TrackingCookie.Valueclick : No action taken.
C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\CoCo\Cookies\coco@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Jessica\Cookies\jessica@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
::Report end
So I reboot the machine manually then do a ewido scan and HJT. Please help.
After the ewido scan, I applied all action to delete it.
Logfile of HijackThis v1.99.1
Scan saved at 11:52:18 AM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Thanks so much for ur continous support, I really apprieciated.
- Select:
-
Jotti File Submission:
- Please go to Jotti's malware scan
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\tsnp2std.exe
[*] Click on the submit button
Repeat the previous steps with the following files:
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\chkdsk.dll
[*] Please post the 3 results in your next reply.
- C:\WINDOWS\tsnp2std.exe
Matt
Hi, Sorry for late reply, I've been trying hard to use this website, it froze on me many times because of my spyware?
Please let me know what else I need to check, thanks so much.
Service load: 0% 100%
File: tsnp2std.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 51615816c80529488db618e3d78057a5
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: vsnp2std.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 5da1d493d24550d92f1407d3509df2b6
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
C:\WINDOWS\system32\chkdsk.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
- Please go to Jotti's malware scan
-
Hi again jay888! I'll be "re-taking" over assisting you now, as its Steamhead's turn to go out of town!
Anyway, please post a fresh HJT log, and we can continue.
Matt
Welcome back, Matt, hope u have a nice vacation.
Unfortunately, I am still having spyware popping up.
Logfile of HijackThis v1.99.1
Scan saved at 11:50:48 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
-
Can i see one more HJT log please?
Please check for me. It seems that the pop up still happening.
Logfile of HijackThis v1.99.1
Scan saved at 10:43:58 PM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
-
Hello jay888,
Let's finish this up!
STEP 1:
We need to run ATF Cleaner again.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
STEP 2:
Please go HERE to run Panda's ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
We're almost done!!
Yeah! I am so tired of my laptop, so glad u r making my life easier. Thanks so much.
You are awesome, if there is a way for me to make donation, please let me know the link.
Incident Status Location
Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/miamore Not disinfected Windows Registry
Adware:adware/alibabar Not disinfected Windows Registry
Adware:adware/morwillsearch Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@realmedia[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@trafficmp[2].txt
- Double-click ATF-Cleaner.exe to run the program.
-
Hello jay888,
Let's finish this up!
STEP 1:
We need to run ATF Cleaner again.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
STEP 2:
Please go HERE to run Panda's ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
We're almost done!!
Hi, I hope this is the last scan, sorry for giving u so much trouble. Thanks so much!
Incident Status Location
Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/miamore Not disinfected Windows Registry
Adware:adware/alibabar Not disinfected Windows Registry
Adware:adware/morwillsearch Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@realmedia[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@trafficmp[2].txt
- Double-click ATF-Cleaner.exe to run the program.
-
Hello Jay888, Happy 4th of July!
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\notepad.dll
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Please post a new Ewido log. Thanks!
-
Hello jay888 .. Sorry for the delay.
Let's get started! You may want to print tthis out for reference.
STEP 1:
Please open HijackThis and place a check next to the following items:
O4 - HKCU\..\Run: [c329b8f7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe
O4 - HKCU\..\Run: [9ea5b5e7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\9ea5b5e7.exe
O4 - HKCU\..\Run: [Dfoat] C:\DOCUME~1\CoCo\MYDOCU~1\RACLE~1\services.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt ndrv
Close all open windows and browsers (except for HijackThis) and click on Fix Checked.
STEP 2:
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe
C:\Documents and Settings\CoCo\Local Settings\Application Data\9ea5b5e7.exe
C:\DOCUME~1\CoCo\MYDOCU~1\RACLE~1\services.exe
C:\PROGRA~1\SKS~1\wuaclt.exe
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
STEP 3:
Please post a fresh HijackThis log along with a new Ewido log. Thanks!
-
Hello jay888
Matt is out of town for the weekend, so I will be helping you until he gets back.
Do you have the ewido log??
Thanks!
-
Welcome back! We've got more work to do.
Jotti File Submission:
- Please go to Jotti's malware scan
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\tsnp2std.exe
[*] Click on the submit button
[*] Please post the results in your next reply.
Repeat the previous steps for the following files:
- C:\WINDOWS\vsnp2std.exe
- C:\WINDOWS\system32\c329b8f7.exe
- C:\WINDOWS\system32\9ea5b5e7.exe
- C:\WINDOWS\system32\comdlg32.ocx
- C:\WINDOWS\system32\notepad.dll
Please scan with HJT and place a check next to the following items:
O1 - Hosts: 199.182.179.252 batman
O1 - Hosts: 199.182.179.122 pochacco
O1 - Hosts: 199.182.179.253 spiderman
O1 - Hosts: 199.182.179.242 superman
O1 - Hosts: 199.182.179.247 pita
O1 - Hosts: 199.182.179.240 zorro
O1 - Hosts: 199.182.179.250 pokemon
O1 - Hosts: 199.182.179.251 hercules
O1 - Hosts: 199.182.179.249 zeus
O1 - Hosts: 199.182.179.210 borman
O1 - Hosts: 199.182.179.241 scoobydoo
O1 - Hosts: 199.182.179.199 gateway
O1 - Hosts: 199.182.179.11 galaxy
O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Dfoat] C:\Documents and Settings\CoCo\My Documents\?racle\services.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O19 - User stylesheet: (file missing)
Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe
C:\PROGRA~1\SKS~1\wuaclt.exe
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Next, Navigate to C:\Documents and Settings\CoCo\My Documents\ and loog for a folder named ?racle. Note: the "?" will replaced by a random character. To make sure you have the correct folder, open it up and look for a file named services.exe. Once you are sure you have found the correct folder, go back and delete the ?racle folder. If you have any doubt whether or not you have found the correct folder, post back and don't do anything.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run ewido and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
- Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
- Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
- If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
- Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Finally, post back with ALL 6 Jotti Scan Results, the Ewido Report, and a new HJT log.
Matt
Thanks so much, I went to oracle folder, however it said access denied when i try to delete it.
-
Welcome back! We've got more work to do.
Jotti File Submission:
- Please go to Jotti's malware scan
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\tsnp2std.exe
[*] Click on the submit button
[*] Please post the results in your next reply.
Repeat the previous steps for the following files:
- C:\WINDOWS\vsnp2std.exe
- C:\WINDOWS\system32\c329b8f7.exe
- C:\WINDOWS\system32\9ea5b5e7.exe
- C:\WINDOWS\system32\comdlg32.ocx
- C:\WINDOWS\system32\notepad.dll
Please scan with HJT and place a check next to the following items:
O1 - Hosts: 199.182.179.252 batman
O1 - Hosts: 199.182.179.122 pochacco
O1 - Hosts: 199.182.179.253 spiderman
O1 - Hosts: 199.182.179.242 superman
O1 - Hosts: 199.182.179.247 pita
O1 - Hosts: 199.182.179.240 zorro
O1 - Hosts: 199.182.179.250 pokemon
O1 - Hosts: 199.182.179.251 hercules
O1 - Hosts: 199.182.179.249 zeus
O1 - Hosts: 199.182.179.210 borman
O1 - Hosts: 199.182.179.241 scoobydoo
O1 - Hosts: 199.182.179.199 gateway
O1 - Hosts: 199.182.179.11 galaxy
O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Dfoat] C:\Documents and Settings\CoCo\My Documents\?racle\services.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O19 - User stylesheet: (file missing)
Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe
C:\PROGRA~1\SKS~1\wuaclt.exe
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Next, Navigate to C:\Documents and Settings\CoCo\My Documents\ and loog for a folder named ?racle. Note: the "?" will replaced by a random character. To make sure you have the correct folder, open it up and look for a file named services.exe. Once you are sure you have found the correct folder, go back and delete the ?racle folder. If you have any doubt whether or not you have found the correct folder, post back and don't do anything.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run ewido and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
- Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
- Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
- If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
- Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Finally, post back with ALL 6 Jotti Scan Results, the Ewido Report, and a new HJT log.
Matt
-
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply, along with a new HJT log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
-
Hi and welcome to Besttechie! I will be assisting you!
Please print out all directions given, for use if/when you cannot access this page.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
-
Hi, please help me to remove my spyware, I download a program and after that, I start to see a icon on my system tray, the icon with window help icon logo flashing with stop sign. Help please.
I already tired Norton Anti-virus and 5 different spyware remover programs, problem still exist, when I open IE, it goes to a different homepage, also, there is a message appear right above the system tray icon, telling me I need their spyware remover 'antimalware' then it goes to this page hxxp://www.spywarequake.com/?aff=252
Link Edited to make "Non-Clickable" JWB
Logfile of HijackThis v1.99.1
Scan saved at 9:10:19 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SlimQ\Fahid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Virtual Account Numbers\CitiUCS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\c329b8f7.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\TEMP\win302.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\TEMP\win307.tmp.exe
C:\Documents and Settings\CoCo\Local Settings\Temp\HijackThis.exe
O1 - Hosts: 199.182.179.252 batman
O1 - Hosts: 199.182.179.122 pochacco
O1 - Hosts: 199.182.179.253 spiderman
O1 - Hosts: 199.182.179.242 superman
O1 - Hosts: 199.182.179.247 pita
O1 - Hosts: 199.182.179.240 zorro
O1 - Hosts: 199.182.179.250 pokemon
O1 - Hosts: 199.182.179.251 hercules
O1 - Hosts: 199.182.179.249 zeus
O1 - Hosts: 199.182.179.210 borman
O1 - Hosts: 199.182.179.241 scoobydoo
O1 - Hosts: 199.182.179.199 gateway
O1 - Hosts: 199.182.179.11 galaxy
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [c329b8f7.exe] C:\WINDOWS\system32\c329b8f7.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [c329b8f7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe
O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Help On Hijacklog Pls! Systray Icon[RESOLVED]
in Malware Removal
Posted
I want to thank all of you for the dedication and time you spend on helping me, I just reinstall my OS, and everything works fine... sorry I gave up on cleaning my system.