geek Posted October 9, 2006 Report Share Posted October 9, 2006 (edited) Known trojan was said to have been removed by AVG, but is still present. Figured someone here might be able to point out issues to be resolved. Thanks in advance. Logfile of HijackThis v1.99.1Scan saved at 3:46:18 PM, on 10/9/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\Yinstall.exeC:\Program Files\Common Files\{E000E1C3-09E5-1033-0512-041025200001}\Update.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Google\Google Talk\googletalk.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Internet Explorer\iexplore.exeC:\DOCUME~1\ERICAT~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3000E1C3-09E5-1033-0512-041025200001}\MyToolBar.dllO3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3000E1C3-09E5-1033-0512-041025200001}\MyToolBar.dllO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Yinstall.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136764335234O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158716816796O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cabO16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Edited October 10, 2006 by geek Link to post Share on other sites
therock247uk Posted October 10, 2006 Report Share Posted October 10, 2006 Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post. Link to post Share on other sites
geek Posted October 10, 2006 Author Report Share Posted October 10, 2006 Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.Ad-Aware SE PersonalAdobe Flash Player 9 ActiveXAdobe Reader 6.0AVG Free EditioneMachines Bay ReaderGdiplusUpgradeGoogle Talk (remove only)HijackThis 1.99.1Hotfix for Windows Media Format SDK (KB902344)Hotfix for Windows XP (KB896344)HP Extended Capabilities 4.7HP Image Zone 4.7HP PSC & OfficeJet 4.7HP Software UpdateIntel® Extreme Graphics DriverIntel® PRO Network Adapters and DriversJava 2 Runtime Environment, SE v1.4.2K-Lite Codec Pack 2.25 FullMacromedia Shockwave PlayerMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB886903)Microsoft .NET Framework 2.0Microsoft ActiveX Control PadMicrosoft Office Professional Edition 2003Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)Morpheus 5.2 (remove only)MP3 Player Utilities V1.28Musicmatch® JukeboxPizza Frenzy 1.0QBzQuickTimeRealtek AC'97 AudioSecurity Update for Microsoft .NET Framework 2.0 (KB917283)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player 10 (KB911565)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893066)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896422)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901190)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB905915)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB908531)Security Update for Windows XP (KB911280)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911567)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB912812)Security Update for Windows XP (KB912919)Security Update for Windows XP (KB913446)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB916281)Security Update for Windows XP (KB917159)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918439)Security Update for Windows XP (KB918899)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920214)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB925486)SoftV92 Data Fax Modem with SmartCPSpybot - Search & Destroy 1.4ToolBar888Update for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB900930)Update for Windows XP (KB910437)Update for Windows XP (KB916595)Update for Windows XP (KB920872)Update for Windows XP (KB922582)URGEUSB MP3 Driver v1.17r014USB PC Camera (SN9C103)VBRunDLL 3.0Windows Backup UtilityWindows Genuine Advantage v1.3.0254.0Windows Installer 3.1 (KB893803)Windows Media ConnectWindows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Format SDK Hotfix - KB891122Windows Media Player 11Windows Media Player 11Windows Media Player 9 Hotfix [see KB885492 for more information]Windows XP Hotfix - KB873339Windows XP Hotfix - KB885250Windows XP Hotfix - KB885626Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB887742Windows XP Hotfix - KB887797Windows XP Hotfix - KB888113Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781Windows XP Service Pack 2 Link to post Share on other sites
therock247uk Posted October 10, 2006 Report Share Posted October 10, 2006 Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.ToolBar888Then post a new Hijackthis log here in a reply. Link to post Share on other sites
geek Posted October 10, 2006 Author Report Share Posted October 10, 2006 (edited) Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.ToolBar888Then post a new Hijackthis log here in a reply.Ok, here is the log. Upon rebooting, the PC keeps opening a site at web . link4all . biz without the spaces, and asks the person to download photogbase.com/install.html. Even when the user doesn't install, it keeps popping up.Logfile of HijackThis v1.99.1Scan saved at 8:38:54 PM, on 10/9/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\Yinstall.exeC:\Program Files\Common Files\{E000E1C3-09E5-1033-0512-041025200001}\Update.exeC:\Program Files\Google\Google Talk\googletalk.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trillian\trillian.exeC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\DOCUME~1\ERICAT~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Yinstall.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136764335234O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158716816796O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cabO16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Edited October 10, 2006 by geek Link to post Share on other sites
geek Posted October 10, 2006 Author Report Share Posted October 10, 2006 Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.ToolBar888Then post a new Hijackthis log here in a reply.Ok, here is the log. Upon rebooting, the PC keeps opening a site at web . link4all . biz without the spaces, and asks the person to download photogbase.com/install.html. Even when the user doesn't install, it keeps popping up.Ok, well, looks like I figure out the problem. "O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Yinstall.exe" was the culprit, it seems. Stopping it's process and deleting it at it's root file seems to have eliminated the web based pop up. After logging in on every account on this PC, it appears the situation is resolved. If anyone sees anything other that is suspicious, let me know in IRC or in this thread. Thanks, Rock, for all the help. The toolbar, without a doubt, was the first step in the removal of the virus. Hope this helps a person or two along the way. Link to post Share on other sites
therock247uk Posted October 10, 2006 Report Share Posted October 10, 2006 Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Link to post Share on other sites
geek Posted October 11, 2006 Author Report Share Posted October 11, 2006 (edited) Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.Logfile after the above found no files and removal of Yinstall.exe. Logfile of HijackThis v1.99.1Scan saved at 10:20:01 PM, on 10/10/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Common Files\{E000E1C3-09E5-1033-0512-041025200001}\Update.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Google\Google Talk\googletalk.exeC:\DOCUME~1\ERICAT~1\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Yinstall.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136764335234O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158716816796O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cabO16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Edited October 11, 2006 by geek Link to post Share on other sites
geek Posted October 11, 2006 Author Report Share Posted October 11, 2006 (edited) ignore Edited October 11, 2006 by geek Link to post Share on other sites
therock247uk Posted October 11, 2006 Report Share Posted October 11, 2006 Open Hijackthis and click scan. Then check mark the following entriesR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Yinstall.exeO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cabNow close all open windows except Hijackthis and click fix checkedThen post a new Hijackthis log here in a reply. Link to post Share on other sites
geek Posted October 12, 2006 Author Report Share Posted October 12, 2006 Open Hijackthis and click scan. Then check mark the following entriesR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Yinstall.exeO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cabNow close all open windows except Hijackthis and click fix checkedThen post a new Hijackthis log here in a reply.Logfile of HijackThis v1.99.1Scan saved at 8:08:10 PM, on 10/11/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Common Files\{E000E1C3-09E5-1033-0512-041025200001}\Update.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Google\Google Talk\googletalk.exeC:\Program Files\Internet Explorer\iexplore.exeC:\DOCUME~1\ERICAT~1\LOCALS~1\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136764335234O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158716816796O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Link to post Share on other sites
therock247uk Posted October 12, 2006 Report Share Posted October 12, 2006 ... Link to post Share on other sites
therock247uk Posted October 12, 2006 Report Share Posted October 12, 2006 Can you post c:\vundofix.txt? Link to post Share on other sites
geek Posted October 12, 2006 Author Report Share Posted October 12, 2006 (edited) Can you post c:\vundofix.txt?VundoFix V6.2.1Checking Java version...Scan started at 10:11:54 PM 10/10/2006Listing files found while scanning....No infected files were found.Beginning removal...VundoFix V6.2.1Checking Java version...Scan started at 8:34:45 PM 10/11/2006Listing files found while scanning....No infected files were found.Beginning removal...VundoFix V6.2.1Checking Java version...Scan started at 8:52:42 PM 10/11/2006Listing files found while scanning....No infected files were found.Beginning removal... Edited October 12, 2006 by geek Link to post Share on other sites
therock247uk Posted October 12, 2006 Report Share Posted October 12, 2006 First download AVG Anti-Spyware from HERE and save that file to your desktop.This is a 30 day trial of the programOnce you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".[*]Under "Reports"Select "Automatically generate report after every scan"Un-Select "Only if threats were found"Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following:If you have any infections you will prompted, then select "Apply all actions"Next select the "Reports" icon at the top.Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan. Link to post Share on other sites
geek Posted October 13, 2006 Author Report Share Posted October 13, 2006 First download AVG Anti-Spyware from HERE and save that file to your desktop.This is a 30 day trial of the programOnce you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".[*]Under "Reports"Select "Automatically generate report after every scan"Un-Select "Only if threats were found"Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following:If you have any infections you will prompted, then select "Apply all actions"Next select the "Reports" icon at the top.Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 8:52:47 PM 10/12/2006 + Scan result: C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP403\A0089634.exe -> Adware.PurityScan : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090827.exe -> Adware.PurityScan : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090834.exe -> Adware.PurityScan : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090846.exe -> Adware.PurityScan : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090863.exe -> Adware.PurityScan : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP406\A0091185.exe -> Adware.PurityScan : No action taken.C:\Program Files\Common Files\{E000E1C3-09E5-1033-0512-041025200001}\Update.exe -> Adware.Softomate : No action taken.C:\Program Files\Common Files\{E000E1C3-09E5-1033-0512-041025200001}\services.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP403\A0090649.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP403\A0090650.exe -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP403\A0090651.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090837.exe -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090838.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090839.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090969.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP405\A0090970.exe -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP406\A0091080.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP406\A0091081.exe -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP406\A0091136.dll -> Adware.Softomate : No action taken.C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP385\A0082257.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Erica Tankard\Cookies\erica [email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\John\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\John\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Lilian\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.C:\Documents and Settings\Erica Tankard\Local Settings\Temp\Cookies\erica [email protected][1].txt -> TrackingCookie.Adjuggler : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & jeremy@admarketplace[1].txt -> TrackingCookie.Admarketplace : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@advertising[2].txt -> TrackingCookie.Advertising : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & jeremy@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][2].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : No action taken.C:\Documents and Settings\John\Cookies\john@com[1].txt -> TrackingCookie.Com : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][1].txt -> TrackingCookie.Enhance : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][2].txt -> TrackingCookie.Esomniture : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][2].txt -> TrackingCookie.Euroclick : No action taken.C:\Documents and Settings\Erica Tankard\Cookies\erica [email protected][2].txt -> TrackingCookie.Euroclick : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][1].txt -> TrackingCookie.Hitbox : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][1].txt -> TrackingCookie.Overture : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][2].txt -> TrackingCookie.Overture : No action taken.C:\Documents and Settings\Erica Tankard\Cookies\erica [email protected][2].txt -> TrackingCookie.Pointroll : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][1].txt -> TrackingCookie.Specificclick : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.C:\Documents and Settings\Brittany\Cookies\brittany@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.C:\Documents and Settings\Erica Tankard\Cookies\erica tankard@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.C:\Documents and Settings\Erica Tankard\Cookies\erica [email protected][2].txt -> TrackingCookie.Valuead : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & jeremy@yadro[2].txt -> TrackingCookie.Yadro : No action taken.C:\Documents and Settings\Brittany\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Courtney & Jeremy\Cookies\courtney & [email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Erica Tankard\Cookies\erica [email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Erica Tankard\Local Settings\Temp\Cookies\erica [email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.::Report end Link to post Share on other sites
therock247uk Posted October 13, 2006 Report Share Posted October 13, 2006 Ok post a new Hijackthis log here in a reply. Link to post Share on other sites
geek Posted October 13, 2006 Author Report Share Posted October 13, 2006 Ok post a new Hijackthis log here in a reply.May I ask what it is you find suspicious? What is problematic?Logfile of HijackThis v1.99.1Scan saved at 5:06:22 PM, on 10/13/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\DOCUME~1\ERICAT~1\LOCALS~1\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136764335234O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158716816796O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Link to post Share on other sites
therock247uk Posted October 14, 2006 Report Share Posted October 14, 2006 Your log is clean.Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:Detect and Remove Programs:How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.Prevention Programs: Spywareblaster <= SpywareBlaster will prevent spyware from being installed.Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerGoogle Toolbar <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.Other necessary Programs: AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.Firewall<= A firewall is definatley a must have. Three good free versions are Kerio, Sygate and ZoneLabs. Link to post Share on other sites
geek Posted October 15, 2006 Author Report Share Posted October 15, 2006 Your log is clean.Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:Detect and Remove Programs:How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.Prevention Programs: Spywareblaster <= SpywareBlaster will prevent spyware from being installed.Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerGoogle Toolbar <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.Other necessary Programs: AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.Firewall<= A firewall is definatley a must have. Three good free versions are Kerio, Sygate and ZoneLabs.She has most of that and has been running it. Thanks for your time. Just to let you know, Sygate was bought by Symantec and no longer offers a free version unfortunatly. Link to post Share on other sites
therock247uk Posted October 16, 2006 Report Share Posted October 16, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts