PDA

View Full Version : Problem: Browser Hijack, Shortcuts in Start Menu, Occasional Popups (part I)



ryac79
2006-06-12, 10:17
PART I

Hello,

I have some problems with my computer, I'm hoping someone can help me out. I've already used spy-bot in safe mode to remove all spyware etc. and also scanned for viruses using the online scanner at Panda. Here's a description of my problem: 1) IE's homepage is set to hxxp://www.topsecuritysite.net and cannot be changed, 2) I'm always getting two shortcuts placed inside my start menu, named Online Security Guide (linked to: hxxp://onlinesecuritysolution.net) and Security Troubleshooting (linked to: hxxp://freetestonline.net), 3) Sometimes I get pop-ups in IE saying my computer is infected and to download the removal tool.

Please find my panda report and HJT log below:

Panda:

Incident Status Location

Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@abetterinternet[2].txt
Spyware:Cookie/BetterInet Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@a[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@offeroptimizer[2].txt
Spyware:Cookie/Transponder Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@pyn.pynix[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@xmts[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.com.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ryan.y\Cookies\ryan.y@atdmt[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\ryan.y\Cookies\ryan.y@offeroptimizer[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\ryan.y\Cookies\ryan.y@offeroptimizer[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\ryan.y\Cookies\ryan.y@offeroptimizer[4].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ryan.y\Cookies\ryan.y@tribalfusion[1].txt
Adware:adware/securityerror Not disinfected C:\Documents and Settings\ryan.y\Favorites\Antivirus Test Online.url
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\conscorr.inf
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan.y@abetterinternet[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan.y@cliks[2].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan.y@master.mx-targeting[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan.y@offeroptimizer[2].txt
Spyware:Cookie/Transponder Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan.y@pyn.pynix[1].txt
Spyware:Cookie/BetterInet Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan[2].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\Cookies\ryan[5].txt
Adware:Adware/SpywareQuake Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\temp.fr1EC0
Adware:Adware/Searchcontrol Not disinfected C:\Documents and Settings\ryan.y\Local Settings\Temp\win126.tmp.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\steven.hii\Local Settings\Temp\bb.exe
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\steven.hii\Local Settings\Temp\conscorr.inf
Adware:Adware/PowerScan Not disinfected C:\Documents and Settings\steven.hii\Local Settings\Temp\powerscan.exe
Potentially unwanted tool:Application/Pskill.B Not disinfected C:\Nokia\Update_Manager\UninstallerData_UM_2_0\Shut_Down_UMC.exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\ddm\7198\SaveInstCmS.exe

continued..

ryac79
2006-06-12, 10:19
PART II

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 14:58:35, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\MousePro\MIProHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\DOCUME~1\ryan.y\APPLIC~1\PPPATC~1\mmc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Gush\Gush.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\stickies\stickies.exe
C:\Nokia\Update_Manager\bin\UMScheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [MImpPro] C:\Program Files\MousePro\MIProHst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [WfwiEvalPostExpire] C:\Program Files\Wise for Windows Installer\EvalPostExpire.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [8cad99f9.exe] C:\Documents and Settings\ryan.y\Local Settings\Application Data\8cad99f9.exe
O4 - HKCU\..\Run: [Aoal] "C:\DOCUME~1\ryan.y\APPLIC~1\PPPATC~1\mmc.exe" -vt yazr
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Gush.lnk = C:\Program Files\Gush\Gush.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.dasdeck.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = groupicg.com
O17 - HKLM\Software\..\Telephony: DomainName = groupicg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = groupicg.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = groupicg.com
O20 - AppInit_DLLs: HookDLL.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winaje32 - C:\WINDOWS\SYSTEM32\winaje32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
O23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Npacamrf - Symantec Corporation - (no file)
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
O23 - Service: MorningSound VirtualCamera Play Service (VirtualCameraService) - Unknown owner - C:\Program Files\VirtualCamera\VCamSrv.exe


Thanks for your help. It's appreciated..

Ryan

ryac79
2006-06-14, 05:01
Hi,

I must have posted too fast. I guess the shortcuts were removed when I ran spybot. However, I'm still having the problem of my homepage in IE going to hxxp://www.topsecuritysite.net, and I cant change it. The pop-up that I get also appears on this same page when it loads.

I'm running windows XP professional, service pack 2, if this helps!

Ryan

LonnyRJones
2006-06-17, 19:18
Hi ryac79

Fallow the instructions here
http://forums.spybot.info/showthread.php?t=4015
If you have questions ask before starting

ryac79
2006-06-19, 15:13
Hi LonnyRJones,

Thanks. I've done this and IE seems to be working fine now. Unfortunately, I seem to have a hard time following instructions on monday mornings (as easy as it is) and I missed out cleaning my temporary internet files. I then stopped the Ewido scan because of that and started over again. Ewido found nine files and removed them after I cancelled, they're not reflected in the log enclosed. I also wasnt able to log-in with my usual account in safe mode and I didnt know how to empty my recycle bin in my usual account. It appears that nothing was deleted from it. hope it's not going to cause any problems later on..?

Here are my three reports: rapport.txt, ewido log, and hijackthis log:

rapport.txt:

SmitFraudFix v2.62

Scan done at 18:39:07.50, Mon 06/19/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:29:48 PM, 6/19/2006
+ Report-Checksum: 9F1EC883

+ Scan result:

:mozilla.6:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\OA.exe -> Downloader.PurityScan.cq : Cleaned with backup
C:\WINDOWS\Temp\winD2.tmp.exe -> Downloader.Small.cvw : Cleaned with backup
D:\mobile\progz\jpg2Liteswf.zip/jpg2Liteswf/jpg2Liteswf.exe -> Trojan.PhpRun : Cleaned with backup


::Report End

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 19:43:31, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\MousePro\MIProHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\stickies\stickies.exe
C:\Nokia\Update_Manager\bin\UMScheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [MImpPro] C:\Program Files\MousePro\MIProHst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [WfwiEvalPostExpire] C:\Program Files\Wise for Windows Installer\EvalPostExpire.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [8cad99f9.exe] C:\Documents and Settings\ryan.y\Local Settings\Application Data\8cad99f9.exe
O4 - HKCU\..\Run: [Aoal] "C:\DOCUME~1\ryan.y\APPLIC~1\PPPATC~1\mmc.exe" -vt yazr
O4 - HKCU\..\Run: [El Reg Alerts] C:\Program Files\El Reg Alerts\theregister.exe
O4 - Startup: Shortcut to stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.dasdeck.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = groupicg.com
O17 - HKLM\Software\..\Telephony: DomainName = groupicg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = groupicg.com
O20 - AppInit_DLLs: HookDLL.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winaje32 - winaje32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
O23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
O23 - Service: MorningSound VirtualCamera Play Service (VirtualCameraService) - Unknown owner - C:\Program Files\VirtualCamera\VCamSrv.exe

=======

I hope everything looks fine.

Thanks again for your help on this. I really appreciate it!

Ryan

LonnyRJones
2006-06-19, 19:49
"hope it's not going to cause any problems later on..?"
Not a problem, empty it now.

Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O4 - HKCU\..\Run: [8cad99f9.exe] C:\Documents and Settings\ryan.y\Local Settings\Application Data\8cad99f9.exe
O4 - HKCU\..\Run: [Aoal] "C:\DOCUME~1\ryan.y\APPLIC~1\PPPATC~1\mmc.exe" -vt yazr
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O20 - Winlogon Notify: winaje32 - winaje32.dll (file missing)

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Can you provide more information on these two files ?
O20 - AppInit_DLLs: HookDLL.DLL
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

Mention any problems youve noticed and post a new hijackthis log.

ryac79
2006-06-20, 13:51
Hi LonnyRJones,

I "fixed" the 11 items and restarted, used the computer all day at work and everything seems to be working and running fine. Nothing unusal happened.

About the these two files:

O20 - AppInit_DLLs: HookDLL.DLL
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

Sorry but I'm not really sure why they're there or why I have them. I do have MySQL running, but I have no problem with uninstalling it or removing it if it's necessary. If you think it's safer to remove these via HijackThis, I dont have any problem..

Here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:23:40, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\MousePro\MIProHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\stickies\stickies.exe
C:\Nokia\Update_Manager\bin\UMScheduler.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\DOCUME~1\ryan.y\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\ryan.y\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\VFSWRA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [MImpPro] C:\Program Files\MousePro\MIProHst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [WfwiEvalPostExpire] C:\Program Files\Wise for Windows Installer\EvalPostExpire.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [El Reg Alerts] C:\Program Files\El Reg Alerts\theregister.exe
O4 - Startup: Shortcut to stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.dasdeck.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = groupicg.com
O17 - HKLM\Software\..\Telephony: DomainName = groupicg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = groupicg.com
O20 - AppInit_DLLs: HookDLL.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
O23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
O23 - Service: MorningSound VirtualCamera Play Service (VirtualCameraService) - Unknown owner - C:\Program Files\VirtualCamera\VCamSrv.exe

Thanks again for your help..

Ryan

LonnyRJones
2006-06-20, 18:27
Are there any current problems ?

do a file search for hookdll.dll, right click on it and gather any information found, post it here

I was curious about why this say file missing, that doesn't necessarily mean its missing. no problems with the program ?
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

ewido just came out with a new program , i suggest you uninstall the one you have and go get the more current build.

ryac79
2006-06-21, 15:22
Hi..

I did a search for hookDLL.DLL. I found the file in c:\windows\system32. Here are the details of that file:

==

Description: SetupHook
Company: Wise Solutions, Inc.
File Version: 1.1.0.8
Date Created: 12/13/2005 17:10
Size: 4.5 KB

Product Name: Wise Solutions, Inc. SetupHook

==

I did install a product from wise solutions, it was an evaluation version of their installer program. I didnt need it anymore so I uninstalled it today, thinking it would remove the hookDLL.DLL file and it did remove it. The weird thing is though, it's still showing up in the HJT log. The log is below in case u want to see..

I've also uninstalled my older version of ewido, restarted, and installed the new version as well as did an update on it. I restarted in safe mode and scanned. The log for this is also below..

About the MySQL item, everything appears to be working fine with the MySQL server. I also did a search for program.exe and couldnt find anything..

There were actually no problems with my computer all day today.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:24, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\MousePro\MIProHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\stickies\stickies.exe
C:\Nokia\Update_Manager\bin\UMScheduler.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [MImpPro] C:\Program Files\MousePro\MIProHst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [WfwiEvalPostExpire] C:\Program Files\Wise for Windows Installer\EvalPostExpire.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [El Reg Alerts] C:\Program Files\El Reg Alerts\theregister.exe
O4 - Startup: Shortcut to stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.dasdeck.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = groupicg.com
O17 - HKLM\Software\..\Telephony: DomainName = groupicg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = groupicg.com
O20 - AppInit_DLLs: HookDLL.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
O23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.2.0\US30Service.exe
O23 - Service: MorningSound VirtualCamera Play Service (VirtualCameraService) - Unknown owner - C:\Program Files\VirtualCamera\VCamSrv.exe

[B]Ewido Log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:37:45 PM 6/21/2006

+ Scan result:



C:\Documents and Settings\ryan.y\Cookies\ryan.y@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.32:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.26:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.38:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.39:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.41:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.42:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.44:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.27:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.7:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.9:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.29:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.25:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ryan.y\Cookies\ryan.y@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.30:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.33:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.34:C:\Documents and Settings\ryan.y\Application Data\Mozilla\Firefox\Profiles\s5h7iv9a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Do you think that I remove those two items in HJT?

Ryan

LonnyRJones
2006-06-21, 17:08
"Do you think that I remove those two items in HJT?"

Go here and submit hookdll.dll
http://www.virustotal.com/flash/index_en.html

ryac79
2006-06-23, 06:24
Hi LonnyRJones,

Thanks for that; however when I uninstalled Wise Solutions' Installer program, it must have removed hookdll.dll from my machine. I searched for the file again and it is not showing up anymore.

It's strange how HJT is still picking it up somewhere..

So far I haven't had anymore problems with my computer and everything seems to be working as it usually does.

Thanks for all your help. I appreciate it!

Ryan

LonnyRJones
2006-06-23, 07:41
Ok

You might as well have hijackthis fix it them
O20 - AppInit_DLLs: HookDLL.DLL
There will be an backup errror, disregard it.

If your system is problem free disable system restore reboot the pc and enable it again.

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

tashi
2006-06-29, 20:55
As the problem appears to be resolved this topic will be archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Glad we could help. :)