View Full Version : click2begin popups
proteger
2006-06-02, 05:16
Hi... First off, I ran HJT because I had pop.elitemedia.net and click2begin popups. Like and idiot, i didn't read on before takining action. In HJT I 'fixed' the only pop.elitemedia.net entry I found. And that seemed to fix that, but I still have click2begin problems.
Thank you in advance for all your help ;)
__________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 4:43:35 PM, on 6/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\win32080310305582.exe
C:\WINDOWS\CCZoop05.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=1fa6d90d0ffcc38baef38e657f5b73d95008ed69acdc46d3a835ce6c411e5ec0&utf8=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ntynp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ypgqanl.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsc74.dll
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - C:\WINDOWS\shginas.dll
O2 - BHO: XBTB06688 Class - {EA09E26F-4423-4d72-83DB-1B0C3AF15BD1} - C:\PROGRA~1\TORREN~1\TORREN~1.DLL
O2 - BHO: (no name) - {f65b197f-8260-4d52-909a-f70118e646eb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=060606 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [{D1-11-1F-FB-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [win32080310305582] C:\WINDOWS\win32080310305582.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: TorrentTyphoon - {4CF009C8-0D60-4622-9DD1-9625D213921B} - C:\Program Files\Torrent Typhoon Search\torrenttyphoon.dll
O9 - Extra 'Tools' menuitem: TorrentTyphoon - {4CF009C8-0D60-4622-9DD1-9625D213921B} - C:\Program Files\Torrent Typhoon Search\torrenttyphoon.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131082227159
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
pskelley
2006-06-05, 00:51
Hello and welcome to the forum. Since a couple of days have gone by, I would like to see a new HJT log if you still need help. I can tell you that your problems are far from being gone and I would like to suggest, because other infections can occur that you stay offline as much as possible until you are clean. You have some nasty stuff including a Qoologic trojan. Post that new HJT log in this same thread and I will respond with instructions as soon as possible after that.
Thanks...pskelley
Safer Networking Forums
proteger
2006-06-05, 05:15
hi ...Thanks for your help :)
This is my new HJT log.... I also have my Panda Activescan from a few days ago if that will help any ;)
thanks again for your help
Logfile of HijackThis v1.99.1
Scan saved at 7:04:14 PM, on 6/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\win32080310305582.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\WINDOWS\system32\nodeipproc.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\wupdmgr.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINDOWS\osaupd.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=1fa6d90d0ffcc38baef38e657f5b73d95008ed69acdc46d3a835ce6c411e5ec0&utf8=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ntynp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ypgqanl.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsc74.dll
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - C:\WINDOWS\shginas.dll
O2 - BHO: XBTB06688 Class - {EA09E26F-4423-4d72-83DB-1B0C3AF15BD1} - C:\PROGRA~1\TORREN~1\TORREN~1.DLL
O2 - BHO: (no name) - {f65b197f-8260-4d52-909a-f70118e646eb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=060606 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [{D1-11-1F-FB-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [win32080310305582] C:\WINDOWS\win32080310305582.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [nodeipproc] C:\WINDOWS\system32\nodeipproc.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: TorrentTyphoon - {4CF009C8-0D60-4622-9DD1-9625D213921B} - C:\Program Files\Torrent Typhoon Search\torrenttyphoon.dll
O9 - Extra 'Tools' menuitem: TorrentTyphoon - {4CF009C8-0D60-4622-9DD1-9625D213921B} - C:\Program Files\Torrent Typhoon Search\torrenttyphoon.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131082227159
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
pskelley
2006-06-05, 12:31
Hi and thanks for the new log, save that Panda report, I may want to view it later. Let's see what we can clean out first, then we will tackle Qoologic.
1) How to make files and folders visible:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
3) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ntynp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ypgqanl.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsc74.dll
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - C:\WINDOWS\shginas.dll
O2 - BHO: (no name) - {f65b197f-8260-4d52-909a-f70118e646eb} - (no file)
O4 - HKLM\..\Run: [{D1-11-1F-FB-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [win32080310305582] C:\WINDOWS\win32080310305582.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
(If you know what the next one is, you can leave it)
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
(looks like you issue may have started with p2p files sharing. Leave the next two only if you are positive they are safe)
O9 - Extra button: TorrentTyphoon - {4CF009C8-0D60-4622-9DD1-9625D213921B} - C:\Program Files\Torrent Typhoon Search\torrenttyphoon.dll
O9 - Extra 'Tools' menuitem: TorrentTyphoon - {4CF009C8-0D60-4622-9DD1-9625D213921B} - C:\Program Files\Torrent Typhoon Search\torrenttyphoon.dll
(next two are Alexa related resource wasters, remove them unless you use Alexa)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
(I have no idea what this stuff is? If you are positive it is safe, you can leave the next two?)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\windows\system32\dwdsregt.exe >>> file
C:\WINDOWS\system32\ntynp.exe >>> file
C:\WINDOWS\system32\ypgqanl.exe >>> file
C:\WINDOWS\ZIFI002.exe >>> file
C:\WINDOWS\CCZoop05.exe >>> file
C:\WINDOWS\wupdmgr.exe >>> file
C:\WINDOWS\osaupd.exe >>> file
C:\WINDOWS\win32080310305582.exe >>> file
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. We will have more to do, remember to stay offline as much as possible. If you are using the computer for banking, etc., I would notifythe institutions of this breach of security, stopping any accounts until you can get clean and change passwords.
All going well, we will remove the Qoologic trojan next.
Thanks...Phil
proteger
2006-06-06, 07:54
Hi... I ran all the programs and did everything in sequence as you wrote.
But there were entries you wanted me to delete, but didnt show up in the HJT log.
And also some files for manual delete were not there. Nor is a Prefetch folder.
I haven't got any click2begin pop-ups, but a zeno pop-up showed up and the system
seems to be a bit slow.
Thanks again for your time and help :)
here are my logs
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:45:34 PM, 6/5/2006
+ Report-Checksum: D3A9973D
+ Scan result:
[1164] C:\windows\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
[1532] C:\WINDOWS\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup
[1120] C:\WINDOWS\osaupd.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\loader.exe -> Downloader.Small.cjy : Cleaned with backup
C:\WINDOWS\SYSTEM32\MSVCP60s.dll -> Adware.MoneyGainer : Cleaned with backup
C:\WINDOWS\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\osaupd.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\shginas.dll -> Adware.MoneyGainer : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> TrackingCookie.247realmedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> TrackingCookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> TrackingCookie.Clickbank : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> TrackingCookie.Hotlog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> TrackingCookie.Paycounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> TrackingCookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp -> TrackingCookie.Valuead : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp -> TrackingCookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@cartoonnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@broadspancommerce.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@northwestairlines.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@e-2dj6wjmyshajeho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@e-2dj6wjlywnazkcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@e-2dj6wjlokkazsgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@e-2dj6wjloepczkko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\WINDOWS\SYSTEM32\com1\dragoon\c3389.exe -> Not-A-Virus.HackTool.Win32.Tsowa : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@www.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@att.com[1].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@www2.enigmasoftwaregroup[1].txt -> TrackingCookie.Enigmasoftwaregroup : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@com[2].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@download.com[2].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@specificpop[1].txt -> TrackingCookie.Specificpop : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
E:\Documents and Settings\Dave\Cookies\dave@ads47.bpath[2].txt -> TrackingCookie.Bpath : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 9:38:03 PM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\nodeipproc.exe
C:\WINDOWS\SYSTEM32\mwinnez.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Yahoo!\Antivirus\autodown.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=1fa6d90d0ffcc38baef38e657f5b73d95008ed69acdc46d3a835ce6c411e5ec0&utf8=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ypgqanl.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: XBTB06688 Class - {EA09E26F-4423-4d72-83DB-1B0C3AF15BD1} - C:\PROGRA~1\TORREN~1\TORREN~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=060606 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [nodeipproc] C:\WINDOWS\system32\nodeipproc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\mwinnez.exe FI002
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\mwinnez.exe
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131082227159
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
pskelley
2006-06-06, 15:29
I apologize about Prefetch, I am just so used to working Windows XP.
Look at that Yahoo quarantine folder: C:\Program Files\Yahoo!\YPSR\Quarantine\ <<< and delete everything in it.
Some new stuff is showing in the log, it is importantant you deny access to your computer until we clean it up. Please keep it offline as much as possible. Thanks.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ypgqanl.exe
This line is the marker for Qoologic trojan. Follow these instructions carefully, you will know you are successful if it is missing after you run the fix.
____________________________________________________________
Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Once the Qoologic trojan is gone, then do this:
Look in Add Remove programs and uninstall anything you know should not be there.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ypgqanl.exe
Should be gone
O2 - BHO: XBTB06688 Class - {EA09E26F-4423-4d72-83DB-1B0C3AF15BD1} - C:\PROGRA~1\TORREN~1\TORREN~1.DLL (file missing)
O4 - HKLM\..\Run: [nodeipproc] C:\WINDOWS\system32\nodeipproc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\mwinnez.exe FI002
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\mwinnez.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\nodeipproc.exe >>> file
C:\WINDOWS\SYSTEM32\mwinnez.exe >>> file
Restart the computer and post a new HJT log along with your comments.
Thanks...Phil
proteger
2006-06-07, 16:01
Hi ... I ran the Qoofix and the entries were not there :)
When I went to remove programs, I removed an entry 'ICONS'
-when I clicked to uninstall, it automatically rebooted...
I saved a HJT log after that reboot if you need it.
The system seems quicker, and there seems to be no problems.
here is my post Qoofix log
Logfile of HijackThis v1.99.1
Scan saved at 4:04:48 PM, on 6/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\WINDOWS\system32\nodeipproc.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=1fa6d90d0ffcc38baef38e657f5b73d95008ed69acdc46d3a835ce6c411e5ec0&utf8=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: XBTB06688 Class - {EA09E26F-4423-4d72-83DB-1B0C3AF15BD1} - C:\PROGRA~1\TORREN~1\TORREN~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062106 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [nodeipproc] C:\WINDOWS\system32\nodeipproc.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\mwinnez.exe
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131082227159
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
And here is my last HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 4:44:38 PM, on 6/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=1fa6d90d0ffcc38baef38e657f5b73d95008ed69acdc46d3a835ce6c411e5ec0&utf8=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062106 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131082227159
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Thanks again Phil ..for all your help!!
Dave
pskelley
2006-06-07, 20:13
OK Dave:bigthumb: looking at this HJT log: Logfile of HijackThis v1.99.1 Scan saved at 4:44:38 PM, on 6/6/2006 It appears clean of malware, how are you running now?
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
If all is well tashi will be along to close you in a few days. Safe surfing:)
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
proteger
2006-06-09, 14:44
Hi...everything seems fine now :)
Thanks again for all your help and time!
Dave
LonnyRJones
2006-06-12, 18:16
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me, pskelley or Tashi know.