bluzdude Posted April 7, 2005 Report Share Posted April 7, 2005 Also, I had notifications using ad-aware se that coolwwwsearch is on my machine Here's my HJK log, thanks: (I tried the "fix" with HJK but they the stuff just comes right back on the next scan.)Logfile of HijackThis v1.99.1Scan saved at 11:37:27 AM, on 4/7/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\InterMute\SpySubtract\SpySub.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpO1 - Hosts: auto.search.msn.com 127.0.0.1O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=O13 - FTP Prefix: O13 - Gopher Prefix: Link to post Share on other sites
Dan Posted April 7, 2005 Report Share Posted April 7, 2005 Is this the Full log from HijackThis??? Link to post Share on other sites
bluzdude Posted April 7, 2005 Author Report Share Posted April 7, 2005 Yes, as far as I know. I ran the scan with log option Link to post Share on other sites
bluzdude Posted April 7, 2005 Author Report Share Posted April 7, 2005 I rebooted and ran HJK again. I have a dialer it looks like too, I'm getting a pop-up window on my desktop that is titled "WebSiteViewer" and has this message "Dialing Failed (error #680)", also there's a new shortcut on my desktop of some woman, the icon is named "XXX", it's on my start menu too. Here's the latest scan log:Logfile of HijackThis v1.99.1Scan saved at 2:25:19 PM, on 4/7/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\InterMute\SpySubtract\SpySub.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\Program Files\WebSiteViewer\125234.dlrC:\Program Files\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpO1 - Hosts: auto.search.msn.com 127.0.0.1O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= Link to post Share on other sites
bluzdude Posted April 7, 2005 Author Report Share Posted April 7, 2005 OK, I reinstalled HJK and ran a new scan. I have gotten much more sruff on here since your reply, I don't know where it's all coming from. I haven't even been surfing the web except here since I posted this thread. My machine is running extremely slow now and I'm getting Internet Optimizer pop ups, there's a new search bar on IE, UC more XP search accelerator, etc. There is stuff popping up on the task manager and moving up and down the listing of running processes. My home page is still hijacked and I've run Ad-Aware SE, SpyBot S&D, CW Shredder. I've been waiting for your help all day, do I need to go somewhere else? Here's the last HJK log: Logfile of HijackThis v1.99.1Scan saved at 6:13:47 PM, on 4/7/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System32\Services\{3ECEC789-3315-4897-85C0-4945D264998A}\SVCHOST.EXEC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\InterMute\SpySubtract\SpySub.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\PROGRA~1\COMMON~1\WinTools\WToolsA.exeC:\Program Files\Common Files\WinTools\WToolsS.exeC:\Program Files\Common Files\WinTools\WSup.exeC:\PROGRA~1\Toolbar\TBPS.exeC:\PROGRA~1\Toolbar\PIB.exeC:\PROGRA~1\Toolbar\TBPSSvc.exeC:\Program Files\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/saR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.phpR3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O1 - Hosts: auto.search.msn.com 127.0.0.1O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dllO2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dllO2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dllO3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dllO3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pdO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exeO4 - HKLM\..\Run: [sysTime] C:\WINDOWS\System32\systime.exeO4 - HKLM\..\Run: [saap] c:\windows\saap.exeO4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"O4 - HKLM\..\Run: [lepozat] C:\WINDOWS\lepozat.exeO4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exeO4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\RAYBAK~1.RAY\LOCALS~1\Temp\keep.exeO4 - HKLM\..\Run: [service Host] C:\WINDOWS\System32\Services\{3ECEC789-3315-4897-85C0-4945D264998A}\SVCHOST.EXEO4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [sysTime] C:\WINDOWS\System32\systime.exeO4 - Startup: BJ Status Monitor Canon i560.lnk = ?O4 - Global Startup: Acrobat Assistant.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeO4 - Global Startup: Instant Update Reminder.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exeO4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exeO4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exeO4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeO4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112893923640O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_0/controls/ybrequest.cabO16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cabO16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exeO16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_0/controls/YBUICtrl.cabO16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dllO20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exeO23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe Link to post Share on other sites
Dan Posted April 8, 2005 Report Share Posted April 8, 2005 (edited) Hi,This is what I needed Please run some scans:1. Download and Install Spybot S&D, accepting the Default Settings2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.3. Close ALL windows except Spybot S&D4. Click the button to ‘Search for Updates’ then download and install the Updates.5. Next click the button ‘Check for Problems’ 6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window7. Make certain there is a check mark beside all of the RED entries ONLY.8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.9.REBOOT to complete the scan and clear memory.Next, 1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan2.Close ALL windows except Ad-Aware SE3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window1) In the ‘General’ window make sure the following are selected in green:*Automatically save log-file*Automatically quarantine objects prior to removal*Safe Mode (always request confirmation)Under Definitions:*Prompt to udate outdated definitions - set the number of days2) Click on the ‘Scanning’ button on the left and select in green :Under Driver, Folders & Files:*Scan Within ArchivesUnder Select drives & folders to scan -*choose all hard drivesUnder Memory & Registry: all green*Scan Active Processes*Scan Registry*Deep Scan Registry*Scan my IE favorites for banned URL’s*Scan my Hosts file3) Click on the ‘Advanced’ button on the left and select in green:Under Shell Integration:*Move deleted files to recycle binUnder Logfile Detail Level: (all green)*include addtional object information*DESELECT - include negligible objects information*include environment informationUnder Alternate Data Streams:*Don't log streams smaller than 0 bytes*Don't log ADS with the following names: CA_INOCULATEIT4) Click the ‘Tweak’ button and select in green:Under ‘Scanning Engine’:*Unload recognized processes during scanning*Scan registry for all users instead of current user onlyUnder ‘Cleaning Engine’:*Let Windows remove files in use at next rebootUnder Log Files:*Include basic Ad-aware SE settings in logfile*Include additional Ad-aware SE settings in logfile*Please do not check: Include Module list in logfile5. Click on ‘Proceed’ to save the settings.6. Click ‘Start’*Choose:'Perform Full System Scan'*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window9. Save the log file when it asks and then click ‘finish’10. REBOOT to complete the removal of what Ad-Aware SE found.Finally, visit one or both of these websites, and do an online virus scan (Note: Run these in Internet Explorer):Housecall - http://housecall.trendmicro.com/orPanda - http://www.pandasoftware.com/activescan/ac...ef=EN-PR-AS-107orHousecall Java Scan (Can be run in any browser with Java) - http://fr.trendmicro-europe.com/consumer/p...call_launch.phpPost a new log after running these scans.dkl Edited April 8, 2005 by dknoppix Link to post Share on other sites
bluzdude Posted April 8, 2005 Author Report Share Posted April 8, 2005 ok, i got your last post and will do as you suggest, i am being knocked off IE from time to time by one of these bugs, i guess, so this might take a while, i'll post as soon as i get the online scans done, thanks! Link to post Share on other sites
bluzdude Posted April 8, 2005 Author Report Share Posted April 8, 2005 Oh man, my comp acts like it's going to crash. I could only get the Trend scan to run and it found 49 infections and it couldn't clean any of them. The file names were covered up so I don't even know what they are, so i can't try to delete them manually. The Panda site wouldn't work at all, wouldn't even start scannning, plus my browser kept shutting down and my desktop blanks out for a few seconds. This thing is really infested with some bad stuff. I have Javas, trojans, and worms. I will try to go back to the Panda site and run their scan. The trend one can't clean the infections. I'll get back to you as soon as I can, if my machine doesn't crash and burn first. Link to post Share on other sites
bluzdude Posted April 8, 2005 Author Report Share Posted April 8, 2005 Ok, I finally got Panda's scan to run and it disinfected all of the viruses, I think. I have run another HJT scan and here are the results, the "nowfind.biz" stuff is still there as Panda didn't fix any spyware/adware bugs. My computer is acting quite a bit better now but I still have a desktop that flashes on and off frequently, and my homepage is still hijacked. IE is working much better than before Panda's scan, at least I can access the internet without it freezing up on me now. I have the Panda log if you need it.Here's the HJT log: Logfile of HijackThis v1.99.1Scan saved at 1:10:21 AM, on 4/8/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\InterMute\SpySubtract\SpySub.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\WINDOWS\System32\imapi.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\HiJackThis\HijackThis.exeC:\WINDOWS\explorer.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pdO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exeO4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\RAYBAK~1.RAY\LOCALS~1\Temp\keep.exeO4 - HKLM\..\Run: [service Host] C:\WINDOWS\System32\Services\{3ECEC789-3315-4897-85C0-4945D264998A}\SVCHOST.EXEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: BJ Status Monitor Canon i560.lnk = ?O4 - Global Startup: Acrobat Assistant.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeO4 - Global Startup: Instant Update Reminder.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exeO4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exeO4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exeO4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeO4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112893923640O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_0/controls/ybrequest.cabO16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cabO16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_0/controls/YBUICtrl.cabO16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Link to post Share on other sites
Dan Posted April 8, 2005 Report Share Posted April 8, 2005 Hi,Download CWShredder from http://cwshredder.net/bin/CWShredder.exe.Open CWShredder and with ALL other windows closed, click fix. Open HijackThis, click the Scan button, and check the following items:R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/clickpps.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/clickpps.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/clickpps.phpO4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\RAYBAK~1.RAY\LOCALS~1\Temp\keep.exeO4 - HKLM\..\Run: [service Host] C:\WINDOWS\System32\Services\{3ECEC789-3315-4897-85C0-4945D264998A}\SVCHOST.EXEO20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dllClose all windows except HijackThis, and click the "Fix Checked" button.Locate the follwoing files and delete them:C:\DOCUME~1\RAYBAK~1.RAY\LOCALS~1\Temp\keep.exeC:\WINDOWS\SYSTEM32\drct16.dllC:\WINDOWS\System32\Services\{3ECEC789-3315-4897-85C0-4945D264998A}\SVCHOST.EXEReboot.Locate this file, and send it hereC:\WINDOWS\drexinit.dllPost a new log.dk Link to post Share on other sites
bluzdude Posted April 8, 2005 Author Report Share Posted April 8, 2005 hi dk, i'm having IE probs accessing this forum and am working with Jeff and Pierce in the chat to resolve that issue first, I am using firefox to post this, can't get here with IE at all Link to post Share on other sites
bluzdude Posted April 8, 2005 Author Report Share Posted April 8, 2005 OK I'm back using Firefox browser, IE still won't let me access this forum, and will proceed with your instructions. Link to post Share on other sites
bluzdude Posted April 8, 2005 Author Report Share Posted April 8, 2005 Man my desktop is giving me fits, it keeps blanking out, also when I'm trying to use windows explorer, it will disappear frequently and i have to start the navigation all over from scratch. the "keep.exe" file was not in the temp folderthe "drct16.dll" file was not in the system32 folderthe "\svschost.exe" file was not in the "3ecec789-....." folder, only the .dll file was there so I deleted the "3ecec789-..." folder completelyhow do I send you the c:\WINDOWS\drexinit.dll file to you? It won't open so I can't copy and paste the contents (?) Do I just right click the file in explorer and copy, then paste the clipboard here?Here's the HJT log after fixing the things you said to, (except those listed above, of course, as they couldn't be located):Logfile of HijackThis v1.99.1Scan saved at 4:18:59 PM, on 4/8/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\HiJackThis\HijackThis.exeC:\WINDOWS\explorer.exeC:\WINDOWS\System32\imapi.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pdO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: BJ Status Monitor Canon i560.lnk = ?O4 - Global Startup: Acrobat Assistant.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeO4 - Global Startup: Instant Update Reminder.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exeO4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exeO4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeO4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112893923640O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_0/controls/ybrequest.cabO16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cabO16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_0/controls/YBUICtrl.cabO16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Link to post Share on other sites
Dan Posted April 9, 2005 Report Share Posted April 9, 2005 To send me the file, you email it to me. You attach the file and send it here (Click on the link)You have a Horseserver infection which requires some tools to get rid of.First, download HSFix from hereAfter it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.Next, download CleanUp! Install it, but do not run it yet.Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"A log will be produced which you can close out of.Then run HijackThis again, close any open windows and browsers and fix these:HJT items hereRun CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.Restart your computer into normal mode and run at least one of the following free, online virus scans:http://housecall.trendmicro.com/housecall/start_corp.asphttp://www.pandasoftware.com/activescan/co...n_principal.htmhttp://www3.ca.com/threatinfo/virusinfo/scan.aspxRestart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txtdk Link to post Share on other sites
bluzdude Posted April 9, 2005 Author Report Share Posted April 9, 2005 Here's the latest HJT log. The "HSFIX" log will follow:Logfile of HijackThis v1.99.1Scan saved at 4:43:11 AM, on 4/9/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\HiJackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.earthlink.net/~rbaker529/id2.htmlO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dllO3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pdO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: BJ Status Monitor Canon i560.lnk = ?O4 - Global Startup: Acrobat Assistant.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeO4 - Global Startup: Instant Update Reminder.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exeO4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exeO4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeO4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cabO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112893923640O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_0/controls/ybrequest.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cabO16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_0/controls/YBUICtrl.cabO16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Link to post Share on other sites
bluzdude Posted April 9, 2005 Author Report Share Posted April 9, 2005 Here's the HSFIX log:Horseserver Removal Tool v1.05 by Atri--1. Registry Fix Started- Registry fix complete-2. Deleted Services-WINLOW[sC] DeleteService SUCCESSvdmt16[sC] DeleteService SUCCESS-3. Finding files Located on system-klogini.dllp2.inips.a3dvdmt16.syswinlow.sysdrct16.dllmszx23.execz.dllw32tm.exe-4. Deleting files that were found.-unable to remove drct16.dllunable to remove mszx23.exe-5. Checking for and Removing Winupdate--- Link to post Share on other sites
Besttechie Posted April 9, 2005 Report Share Posted April 9, 2005 Hi,I will be taking over your log, because dk has to go out this weekend and won't be here to finish the log. Download KillBox HereDouble-Click the KillBox icon, that will start the program.Enter the following path in the file path box to delete: C:\WINDOWS\drexinit.dllSelect Standard File Kill, and tick, End Explorer Shell While Killing File, Unregister .dll before deleting. Then click the red X.Then click Exit, after it deletes the file.Next, Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dllThen reboot, and post a new log.B Link to post Share on other sites
bluzdude Posted April 9, 2005 Author Report Share Posted April 9, 2005 Hi BT,I did as you asked, HJT did not detect "drexinit" after the Killbox delete sequence so, I assume it's gone for good. Rebooted and ran HJT again. Here's the latest log:Logfile of HijackThis v1.99.1Scan saved at 2:22:32 PM, on 4/9/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\explorer.exeC:\Program Files\HiJackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.earthlink.net/~rbaker529/id2.htmlO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeO4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pdO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: BJ Status Monitor Canon i560.lnk = ?O4 - Global Startup: Acrobat Assistant.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeO4 - Global Startup: Instant Update Reminder.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exeO4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exeO4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exeO4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnkO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cabO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112893923640O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_0/controls/ybrequest.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cabO16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_0/controls/YBUICtrl.cabO16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeRay (bluzdude) Link to post Share on other sites
Besttechie Posted April 9, 2005 Report Share Posted April 9, 2005 You're log looks clean now, for future protection and prevention please take a look at the following. Good job! The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep nasties from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony KleinB Link to post Share on other sites
Recommended Posts