chasdean Posted February 28, 2006 Report Share Posted February 28, 2006 I had a tragic experience with system restore - loosing documents, contacts, etc. Having to recover and reassemble ...that's done. But all my spyware protection has been lost and I've been plagued with pop ups etc. since this happened. I've run Spybot and Ad-Aware frequently in normal and safe mode - I've also turned off system restore and reun them both.Here's my Hijack this Log:Logfile of HijackThis v1.99.1Scan saved at 9:57:07 AM, on 2/28/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\Explorer.EXEC:\Program Files\Trend Micro\Internet Security 2005\pccguide.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Common Files\AOL\ACS\AOLDial.exeC:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\PROGRA~1\COMMON~1\AOL\111415~1\EE\AOLHOS~1.EXEC:\Program Files\Brother\ControlCenter2\brctrcen.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Daily Weather Forecast\weather.exeC:\PROGRA~1\COMMON~1\AOL\111415~1\EE\AOLServiceHost.exeC:\DOCUME~1\OWNERC~1.009\APPLIC~1\ASEMBL~1\regedit.exeC:\WINNT\system32\l?gonui.exeC:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exeC:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\WINNT\system32\Brmfrmps.exeC:\WINNT\system32\drivers\KodakCCS.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINNT\System32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\WINNT\system32\BRMFRSMG.EXEC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\Brother\Brmfl04e\FAXRX.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\ScanSoft\PaperPort\PaprPort.exeC:\Program Files\ScanSoft\PaperPort\pplinks.exeC:\Program Files\ScanSoft\PaperPort\ppscanmg.exeC:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXEC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Owner.CHARLESDT.009\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/markets/index.html?Intro=introR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR3 - URLSearchHook: (no name) - {FBE44EA9-D368-FA9F-4FF0-855A6C3F12E3} - C:\WINNT\system32\hmyivdj.dllO1 - Hosts: 66.195.127.98 www.escrow.comO1 - Hosts: 66.195.127.98 my.escrow.comO1 - Hosts: 66.195.127.98 escrow.comO1 - Hosts: 66.195.127.98 ww.escrow.comO1 - Hosts: 66.195.127.98 wwww.escrow.comO1 - Hosts: 66.195.127.98 www.escrow.comO1 - Hosts: 66.195.127.98 my.escrow.comO1 - Hosts: 66.195.127.98 escrow.comO1 - Hosts: 66.195.127.98 ww.escrow.comO1 - Hosts: 66.195.127.98 wwww.escrow.comO1 - Hosts: 66.195.127.98 www.escrow.comO1 - Hosts: 66.195.127.98 my.escrow.comO1 - Hosts: 66.195.127.98 escrow.comO1 - Hosts: 66.195.127.98 ww.escrow.comO1 - Hosts: 66.195.127.98 wwww.escrow.comO1 - Hosts: 66.195.127.98 www.escrow.comO1 - Hosts: 66.195.127.98 my.escrow.comO1 - Hosts: 66.195.127.98 escrow.comO1 - Hosts: 66.195.127.98 ww.escrow.comO1 - Hosts: 66.195.127.98 wwww.escrow.comO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: (no name) - {FBE44EA9-D368-FA9F-4FF0-855A6C3F12E3} - C:\WINNT\system32\hmyivdj.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1114150098\EE\AOLHostManager.exeO4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exeO4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorunO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exeO4 - HKCU\..\Run: [Earu] "C:\DOCUME~1\OWNERC~1.009\APPLIC~1\ASEMBL~1\regedit.exe" -vt yazbO4 - HKCU\..\Run: [Ymfik] C:\WINNT\system32\l?gonui.exeO4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"O4 - Startup: LaunchU3.exe.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exeO4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exeO4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlO8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {196C0CF5-6C4E-43C5-98BB-86DE44D44B88} (ByteClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/crs/h...clickloanwf.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120669920468O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cabO16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/current/l...all_a_green.exeO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cabO16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aamortg.localO17 - HKLM\Software\..\Telephony: DomainName = aamortg.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aamortg.localO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aamortg.localO23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeO23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeO23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeThanks for your help Link to post Share on other sites
Dragon Posted March 1, 2006 Report Share Posted March 1, 2006 hi an welcome to besttechie. it seems you have a bit of a mess here, so lets get it all cleaned up.since you already rean spybot and Ad-aware we dont' need to worry about them at the moment.boot safe mode and run hijack this, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR3 - URLSearchHook: (no name) - {FBE44EA9-D368-FA9F-4FF0-855A6C3F12E3} - C:\WINNT\system32\hmyivdj.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: (no name) - {FBE44EA9-D368-FA9F-4FF0-855A6C3F12E3} - C:\WINNT\system32\hmyivdj.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [Ymfik] C:\WINNT\system32\l?gonui.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)Reboot your PC.then please find the following file and go to http://virusscan.jotti.org and submit it for scanning. C:\DOCUME~1\OWNERC~1.009\APPLIC~1\ASEMBL~1\regedit.exeIf you would please, rescan with HijackThis and post a fresh log in this same topic, along with the information you received from Jotti's on that file. let us know how your system's working. Link to post Share on other sites
therock247uk Posted April 5, 2006 Report Share Posted April 5, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts