PDA

View Full Version : Google redirect hijack



Mr_Twister
2007-01-25, 23:43
Hi guys, am having a problem with Google redirecting me to spam sites when I click a link. Have followed the instructions so far, please be gentle! Thanks very much for your help.

Mr_Twister

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 21:33:52, on 25/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120w.bay120.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161972467963
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E07AEF-733D-406D-AB37-A029CD0E8712}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D67564B-A1A0-4A1F-ACC3-C4E40138FE8B}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ECE582E-6106-42DB-8CBD-B197D03327D8}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.57 85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\..\{66E07AEF-733D-406D-AB37-A029CD0E8712}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.57 85.255.112.181
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
\USER\Cookies\user@bluestreak[3].txt

Mr_Twister
2007-01-25, 23:47
Panda online report


Incident Status Location

Virus:Trj/dmRandom.FQ Disinfected C:\WINDOWS\SYSTEM32\KDEBX.EXE
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Motive\BTBB\PSKILL.EXE
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Documents and Settings\USER\Local Settings\Temp\PSKILL.EXE
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\USER\Cookies\user@doubleclick[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\USER\Cookies\user@serving-sys[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\USER\Cookies\user@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\USER\Cookies\user@apmebf[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\USER\Cookies\user@centrport[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\USER\Cookies\user@atdmt[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\USER\Cookies\user@hitbox[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\USER\Cookies\user@statcounter[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\USER\Cookies\user@cs.sexcounter[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter7.sextracker[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\USER\Cookies\user@bs.serving-sys[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\USER\Cookies\user@adrevolver[4].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\USER\Cookies\user@adviva[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\USER\Cookies\user@adtech[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\USER\Cookies\user@landing.domainsponsor[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\USER\Cookies\user@xxxcounter[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\USER\Cookies\user@mediaplex[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter9.sextracker[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\USER\Cookies\user@ccbill[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\USER\Cookies\user@paycounter[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\USER\Cookies\user@adrevolver[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\USER\Cookies\user@bluestreak[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\USER\Cookies\user@ads.pointroll[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@sextracker[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\USER\Cookies\user@fastclick[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\USER\Cookies\user@247realmedia[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\USER\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\USER\Cookies\user@statse.webtrendslive[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\USER\Cookies\user@tradedoubler[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter3.sextracker[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\USER\Cookies\user@sexlist[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\USER\Cookies\user@112.2o7[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\USER\Cookies\user@overture[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter5.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter14.sextracker[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\USER\Cookies\user@questionmarket[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter4.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter8.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter16.sextracker[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\USER\Cookies\user@adultfriendfinder[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\USER\Cookies\user@com[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@sextracker[3].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\USER\Cookies\user@tradedoubler[2].txt

Mr_Twister
2007-01-25, 23:48
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\USER\Cookies\user@2o7[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\USER\Cookies\user@questionmarket[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter4.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\USER\Cookies\user@cs.sexcounter[3].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\USER\Cookies\user@adviva[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\USER\Cookies\user@ads.pointroll[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter7.sextracker[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter6.sextracker[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\USER\Cookies\user@xiti[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter10.sextracker[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\USER\Cookies\user@sexlist[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter8.sextracker[3].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\USER\Cookies\user@paycounter[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\USER\Cookies\user@statcounter[3].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\USER\Cookies\user@xxxcounter[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter9.sextracker[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\USER\Cookies\user@adrevolver[5].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\USER\Cookies\user@cgi-bin[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\USER\Cookies\user@ccbill[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\USER\Cookies\user@ad.yieldmanager[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\USER\Cookies\user@bs.serving-sys[3].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\USER\Cookies\user@112.2o7[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter5.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@counter16.sextracker[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\USER\Cookies\user@fe.lea.lycos[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\USER\Cookies\user@weborama[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\USER\Cookies\user@media.adrevolver[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\USER\Cookies\user@adultfriendfinder[3].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\USER\Cookies\user@webpower[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\USER\Cookies\user@atwola[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\USER\Cookies\user@findwhat[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\USER\Cookies\user@casalemedia[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\USER\Cookies\user@overture[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\USER\Cookies\user@advertising[3].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\USER\Cookies\user@tribalfusion[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\USER\Cookies\user@mediaplex[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\USER\Cookies\user@serving-sys[3].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\USER\Cookies\user@hitbox[3].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\USER\Cookies\user@statse.webtrendslive[4].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\USER\Cookies\user@server.iad.liveperson[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\USER\Cookies\user@realmedia[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\USER\Cookies\user@bluestreak[3].txt

pskelley
2007-01-27, 13:57
Welcome to the forum, please follow these directions in the posted order.

1) Thanks to LonnyBJones and anyone else who helped with this fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your Desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(save the report and HJT log until we finish)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

(if any of your programs tries to block the changes we must make, allow them or turn the program off until you are finished)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E07AEF-733D-406D-AB37-A029CD0E8712}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D67564B-A1A0-4A1F-ACC3-C4E40138FE8B}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ECE582E-6106-42DB-8CBD-B197D03327D8}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.57 85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\..\{66E07AEF-733D-406D-AB37-A029CD0E8712}: NameServer = 85.255.114.57,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.57 85.255.112.181

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the report.txt from Fixwareout, a new HJT log and any comments you think will help.

Thanks

Mr_Twister
2007-01-31, 21:15
Hi

Thanks very much for the help so far. Have followed your instructions above, all seemed to go as you said. Let me know what to do now! :-)

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 19:12:22, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120w.bay120.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161972467963
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Mr_Twister
2007-01-31, 21:16
And the Fixwareout report:-


Fixwareout
Last edited 1/27/2007
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdebx.exe will be moved to C:\WINDOWS\temp\kdebx.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»


»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"LManager"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\Monitor.exe"
"YBrowser"="C:\\PROGRA~1\\YAHOO!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\BTBROA~2\\SMARTB~1\\BTHelpNotifier.exe"
"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"YOP"="C:\\PROGRA~1\\YAHOO!\\YOP\\yop.exe /autostart"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\ypager.exe -quiet"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

pskelley
2007-01-31, 21:49
Thanks for returning your information. How is the computer running now, any malware issues? Since Panda showed a load of junk and this is a nasty infection, I would like to run one more scan to make sure you are clean.
Follow the directions in the link, delete or at least quarantine anything the program locates, then post the scan results for me to view. I have no need to see cookies again, as long as you delete then, edit them out of the scan report.
http://forums.security-central.us/showthread.php?t=3165

Thanks

tashi
2007-02-12, 18:51
:scratch:
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.