View Full Version : Still getting popups and other things slowing down the system
millerpal
2006-07-08, 21:45
I have run an online scan (there wasn't a log available - I can run again if needed) and run Spybot in Safe-mode until no more items were found in red.
I'm still experiencing slowdowns, popups, and other windows popping up on the machine.
Any help would be appreciated.
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:33:02 PM, on 7/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winupd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\9498f6e6.exe
C:\dfndrd_5.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\System32\mptft.exe
C:\WINDOWS\System32\ssn6tuu.exe
C:\WINDOWS\uuzmwgbA.exe
C:\Program Files\Ohipyc\Rvhth.exe
C:\WINDOWS\System32\nr1rnqm8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ASKS~1\regsvr32.exe
C:\Program Files\M?crosoft.NET\w?nlogon.exe
C:\WINDOWS\System32\ssec.exe
C:\WINDOWS\System32\tfthot.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\eHh4\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insightbb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cubnq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,nqhqbgp.exe
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [9498f6e6.exe] C:\WINDOWS\System32\9498f6e6.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_5.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [w00214fe.dll] RUNDLL32.EXE w00214fe.dll,I2 0013a841000214fe
O4 - HKLM\..\Run: [uuzmwgbA] C:\WINDOWS\uuzmwgbA.exe
O4 - HKLM\..\Run: [Akebg] C:\Program Files\Ohipyc\Rvhth.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\rwinoqez.exe GID003
O4 - HKLM\..\Run: [newname] c:\\nwnmd_5.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [9498f6e6.exe] C:\Documents and Settings\xxx\Local Settings\Application Data\9498f6e6.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Tuer] "C:\PROGRA~1\ASKS~1\regsvr32.exe" -vt yazr
O4 - HKCU\..\Run: [Fvokfde] C:\Program Files\M?crosoft.NET\w?nlogon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\rwinoqez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp0.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\mmc.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\m8280ifue8280.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\eHh4\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: winupd - Unknown owner - C:\WINDOWS\winupd.exe
LonnyRJones
2006-07-11, 12:37
Welcome to the forum
What version if SpyBot is it you have and when was it last updated ?
Why dont i see an antivirus program ?
1: Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/
After the pc has been restarted Post the tools log
2: Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/qoofix.php
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Finally post a new Hijack This log and the contents of the Qoofix logfile.
millerpal
2006-07-12, 01:13
Thanks for the help.
Look2Me-Destroyer Log:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 7/11/2006 4:59:02 PM
Infected! C:\WINDOWS\system32\dpnput.dll
Infected! C:\WINDOWS\SYSTEM32\sddoclc.dll
Infected! C:\WINDOWS\SYSTEM32\m2julc191f.dll
Infected! C:\WINDOWS\SYSTEM32\m646lghs1646.dll
Infected! C:\WINDOWS\SYSTEM32\enrql1951.dll
Infected! C:\WINDOWS\SYSTEM32\fp0403dqe.dll
Infected! C:\WINDOWS\SYSTEM32\lewmf11n.dll
Infected! C:\WINDOWS\SYSTEM32\r08s0al7edq.dll
Infected! C:\WINDOWS\SYSTEM32\vlscript.dll
Infected! C:\WINDOWS\SYSTEM32\enl4l13q1.dll
Infected! C:\WINDOWS\SYSTEM32\dndskmgr.dll
Infected! C:\WINDOWS\SYSTEM32\muimsg.dll
Infected! C:\WINDOWS\SYSTEM32\diwsockx.dll
Infected! C:\WINDOWS\SYSTEM32\ceedui.dll
Infected! C:\WINDOWS\SYSTEM32\bhowser.dll
Infected! C:\WINDOWS\SYSTEM32\mhiavi32.dll
Infected! C:\WINDOWS\SYSTEM32\hxp95en.dll
Infected! C:\WINDOWS\SYSTEM32\cfcdll.dll
Infected! C:\WINDOWS\SYSTEM32\kidfr.dll
Infected! C:\WINDOWS\SYSTEM32\mgrecr40.dll
Infected! C:\WINDOWS\SYSTEM32\snbiop.dll
Infected! C:\WINDOWS\SYSTEM32\vhajet32.dll
Infected! C:\WINDOWS\SYSTEM32\m6rmlg9116.dll
Infected! C:\WINDOWS\SYSTEM32\mjcndmgr.dll
Infected! C:\WINDOWS\SYSTEM32\r6r6lg9s16.dll
Infected! C:\WINDOWS\SYSTEM32\dtime.dll
Infected! C:\WINDOWS\SYSTEM32\daocx.dll
Infected! C:\WINDOWS\SYSTEM32\ir60l5jm1.dll
Infected! C:\WINDOWS\SYSTEM32\mavfw32.dll
Infected! C:\WINDOWS\SYSTEM32\dpnput.dll
Infected! C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032785.dll
Infected! C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032791.dll
Infected! C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032811.dll
Infected! C:\WINDOWS\System32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\dpnput.dll
C:\WINDOWS\system32\dpnput.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\sddoclc.dll
C:\WINDOWS\SYSTEM32\sddoclc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\m2julc191f.dll
C:\WINDOWS\SYSTEM32\m2julc191f.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\m646lghs1646.dll
C:\WINDOWS\SYSTEM32\m646lghs1646.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\enrql1951.dll
C:\WINDOWS\SYSTEM32\enrql1951.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\fp0403dqe.dll
C:\WINDOWS\SYSTEM32\fp0403dqe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\lewmf11n.dll
C:\WINDOWS\SYSTEM32\lewmf11n.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\r08s0al7edq.dll
C:\WINDOWS\SYSTEM32\r08s0al7edq.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\vlscript.dll
C:\WINDOWS\SYSTEM32\vlscript.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\enl4l13q1.dll
C:\WINDOWS\SYSTEM32\enl4l13q1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\dndskmgr.dll
C:\WINDOWS\SYSTEM32\dndskmgr.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\muimsg.dll
C:\WINDOWS\SYSTEM32\muimsg.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\diwsockx.dll
C:\WINDOWS\SYSTEM32\diwsockx.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\ceedui.dll
C:\WINDOWS\SYSTEM32\ceedui.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\bhowser.dll
C:\WINDOWS\SYSTEM32\bhowser.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\mhiavi32.dll
C:\WINDOWS\SYSTEM32\mhiavi32.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\hxp95en.dll
C:\WINDOWS\SYSTEM32\hxp95en.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\cfcdll.dll
C:\WINDOWS\SYSTEM32\cfcdll.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\kidfr.dll
C:\WINDOWS\SYSTEM32\kidfr.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\mgrecr40.dll
C:\WINDOWS\SYSTEM32\mgrecr40.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\snbiop.dll
C:\WINDOWS\SYSTEM32\snbiop.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\vhajet32.dll
C:\WINDOWS\SYSTEM32\vhajet32.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\m6rmlg9116.dll
C:\WINDOWS\SYSTEM32\m6rmlg9116.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\mjcndmgr.dll
C:\WINDOWS\SYSTEM32\mjcndmgr.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\r6r6lg9s16.dll
C:\WINDOWS\SYSTEM32\r6r6lg9s16.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\dtime.dll
C:\WINDOWS\SYSTEM32\dtime.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\daocx.dll
C:\WINDOWS\SYSTEM32\daocx.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\ir60l5jm1.dll
C:\WINDOWS\SYSTEM32\ir60l5jm1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\mavfw32.dll
C:\WINDOWS\SYSTEM32\mavfw32.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\dpnput.dll
C:\WINDOWS\SYSTEM32\dpnput.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032785.dll
C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032785.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032791.dll
C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032791.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032811.dll
C:\System Volume Information\_restore{5155F3AC-5E28-4DE6-8948-E19262FE5686}\RP236\A0032811.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{43CF2E23-CB55-4D83-8002-A2C97F8F266E}"
HKCR\Clsid\{43CF2E23-CB55-4D83-8002-A2C97F8F266E}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4C610523-CE68-4210-91DB-CD561435557D}"
HKCR\Clsid\{4C610523-CE68-4210-91DB-CD561435557D}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1088AD79-EDB5-4AC3-83DF-55C4B4C0BD01}"
HKCR\Clsid\{1088AD79-EDB5-4AC3-83DF-55C4B4C0BD01}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D103AA04-4A79-4FE8-888A-B6CAF69176AF}"
HKCR\Clsid\{D103AA04-4A79-4FE8-888A-B6CAF69176AF}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2AA68409-1076-495F-8B24-EA086FA7DA04}"
HKCR\Clsid\{2AA68409-1076-495F-8B24-EA086FA7DA04}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{32120345-7458-43AD-B2CC-569B1A4361F4}"
HKCR\Clsid\{32120345-7458-43AD-B2CC-569B1A4361F4}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CBC57A93-6936-4021-87B7-7C30243B9A93}"
HKCR\Clsid\{CBC57A93-6936-4021-87B7-7C30243B9A93}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{220D2B2B-BB14-4BEA-8395-3EBA4A4A2BD3}"
HKCR\Clsid\{220D2B2B-BB14-4BEA-8395-3EBA4A4A2BD3}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0C345D67-A6A1-4BAE-AEDE-68105EE03E27}"
HKCR\Clsid\{0C345D67-A6A1-4BAE-AEDE-68105EE03E27}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BF38E9FC-816C-4696-A04D-700A117ED4FE}"
HKCR\Clsid\{BF38E9FC-816C-4696-A04D-700A117ED4FE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1601FB63-8E1D-41E2-82D4-4B19A423C4E2}"
HKCR\Clsid\{1601FB63-8E1D-41E2-82D4-4B19A423C4E2}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{55542111-589E-4537-A0D7-72C53E878257}"
HKCR\Clsid\{55542111-589E-4537-A0D7-72C53E878257}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{41712F22-EB8C-4E56-A2E1-ED29F8E9E87F}"
HKCR\Clsid\{41712F22-EB8C-4E56-A2E1-ED29F8E9E87F}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{93676F98-8878-42EC-89F6-6192DFAA783C}"
HKCR\Clsid\{93676F98-8878-42EC-89F6-6192DFAA783C}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DB1F3675-489F-4D24-9D87-0CFF5D7C82BB}"
HKCR\Clsid\{DB1F3675-489F-4D24-9D87-0CFF5D7C82BB}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6289713B-5C76-497F-B4B9-B75ECA7726EB}"
HKCR\Clsid\{6289713B-5C76-497F-B4B9-B75ECA7726EB}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3FD514BD-BE2E-4544-A8CC-77E66E61ECBD}"
HKCR\Clsid\{3FD514BD-BE2E-4544-A8CC-77E66E61ECBD}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F598485A-4041-443B-9209-00E94B94BD95}"
HKCR\Clsid\{F598485A-4041-443B-9209-00E94B94BD95}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{71824BA8-5798-4C6A-B990-C934E1D3E6D4}"
HKCR\Clsid\{71824BA8-5798-4C6A-B990-C934E1D3E6D4}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Other logs are coming...
millerpal
2006-07-12, 01:17
Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/11/2006] at [5:09:08 PM]
-------------------------------------------------------------
Terminated module: ssjjhia.dll found in Qoofix.exe (4092)
Terminated module: ssjjhia.dll found in MLJJQA.EXE (1184)
Terminated module: ssjjhia.dll found in EXPLORER.EXE (1232)
Terminated module: ssjjhia.dll found in CUBNQ.EXE (1240)
Terminated module: ssjjhia.dll found in CUBNQ.EXE (1288)
Terminated module: ssjjhia.dll found in CUBNQ.EXE (1296)
Terminated module: ssjjhia.dll found in HPZTSB05.EXE (1588)
Terminated module: ssjjhia.dll found in HPHMON04.EXE (1596)
Terminated module: ssjjhia.dll found in HPGS2WND.EXE (1612)
Terminated module: ssjjhia.dll found in dfndre_5.exe (1636)
Terminated module: ssjjhia.dll found in SYSC00.EXE (1660)
Terminated module: ssjjhia.dll found in uuzmwgbA.exe (1692)
Terminated module: ssjjhia.dll found in Rvhth.exe (1700)
Terminated module: ssjjhia.dll found in v1201.exe (1740)
Terminated module: ssjjhia.dll found in OPTIMIZE.EXE (1756)
Terminated module: ssjjhia.dll found in juqfstlA.exe (1784)
Terminated module: ssjjhia.dll found in RUNDLL32.EXE (1800)
Terminated module: ssjjhia.dll found in cfg32.exe (1828)
Terminated module: ssjjhia.dll found in MSMSGS.EXE (1864)
Terminated module: ssjjhia.dll found in w?nlogon.exe (1896)
Terminated module: ssjjhia.dll found in HPGS2WNF.EXE (2412)
Terminated module: ssjjhia.dll found in cfg32a.exe (3828)
Terminated module: ssjjhia.dll found in IEXPLORE.EXE (3936)
Terminated module: ssjjhia.dll found in TFTHOT.EXE (2964)
Terminated module: ssjjhia.dll found in IEXPLORE.EXE (2700)
-------------------------------------------------------------
C:\WINDOWS\System32\mljjqa.exe will be deleted on reboot!
C:\WINDOWS\System32\nqhqbgp.exe will be deleted on reboot!
C:\WINDOWS\System32\ssjjhia.dll will be deleted on reboot!
C:\WINDOWS\System32\cubnq.exe will be deleted on reboot!
C:\WINDOWS\System32\rjymc.dat will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\esvkw.exe will be deleted on reboot!
C:\WINDOWS\unwn.exe will be deleted on reboot!
C:\WINDOWS\System32\dmonwv.dll will be deleted on reboot!
User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/11/2006] at [5:14:16 PM]
Note: Some registry keys may have been removed.
millerpal
2006-07-12, 01:20
Logfile of HijackThis v1.99.1
Scan saved at 5:19:16 PM, on 7/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHh4\command.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\9498f6e6.exe
C:\dfndre_5.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\System32\mptft.exe
C:\WINDOWS\System32\ssn6tuu.exe
C:\WINDOWS\uuzmwgbA.exe
C:\Program Files\Ohipyc\Rvhth.exe
C:\WINDOWS\v1201.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\juqfstlA.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\cfg32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ASKS~1\regsvr32.exe
C:\PROGRA~1\MCROSO~1.NET\WNLOGO~1.EXE
C:\WINDOWS\System32\nr1rnqm8.exe
C:\WINDOWS\System32\ssec.exe
C:\WINDOWS\System32\tfthot.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winupd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\oodsregl.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\tfthot.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insightbb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cubnq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,nqhqbgp.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [9498f6e6.exe] C:\WINDOWS\System32\9498f6e6.exe
O4 - HKLM\..\Run: [defender] C:\\dfndre_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [w00214fe.dll] RUNDLL32.EXE w00214fe.dll,I2 0013a841000214fe
O4 - HKLM\..\Run: [uuzmwgbA] C:\WINDOWS\uuzmwgbA.exe
O4 - HKLM\..\Run: [Akebg] C:\Program Files\Ohipyc\Rvhth.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\nwinppez.exe CORN003
O4 - HKLM\..\Run: [newname] C:\\nwnme_5.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [juqfstlA] C:\WINDOWS\juqfstlA.exe
O4 - HKLM\..\Run: [{91-19-9E-E6-ZN}] c:\windows\system32\oodsregl.exe CORN003
O4 - HKLM\..\Run: [w00199ba.dll] RUNDLL32.EXE w00199ba.dll,I2 0013a841000199ba
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [9498f6e6.exe] C:\Documents and Settings\xxx\Local Settings\Application Data\9498f6e6.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Tuer] "C:\PROGRA~1\ASKS~1\regsvr32.exe" -vt yazr
O4 - HKCU\..\Run: [Fvokfde] C:\PROGRA~1\MCROSO~1.NET\WNLOGO~1.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinppez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll,mmc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\eHh4\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\juqfstl.exe
O23 - Service: winupd - Unknown owner - C:\WINDOWS\winupd.exe
LonnyRJones
2006-07-12, 10:30
In the windows control panel addremove programs uninstall
SurfSideKick 3
Network Monitor
and
Windows Overlay Components
Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.
C:\WINDOWS\eHh4\command.exe
C:\WINDOWS\System32\9498f6e6.exe
C:\dfndre_5.exe
C:\\kybrde_5.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\System32\mptft.exe
C:\WINDOWS\System32\ssn6tuu.exe
C:\WINDOWS\uuzmwgbA.exe
C:\Program Files\Ohipyc\Rvhth.exe
C:\WINDOWS\v1201.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\juqfstlA.exe
C:\WINDOWS\System32\nr1rnqm8.exe
C:\WINDOWS\System32\ssec.exe
C:\WINDOWS\System32\tfthot.exe
C:\WINDOWS\winupd.exe
c:\windows\system32\oodsregl.exe
C:\WINDOWS\System32\tfthot.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\System32\x3cqp0.dll
C:\WINDOWS\System32\WinNB58.dll
C:\Documents and Settings\xxx\Local Settings\Application Data\9498f6e6.exe
C:\WINDOWS\SYSTEM32\nwinppez.exe
C:\WINDOWS\SYSTEM32\dwdsregt.exe
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32p.dll
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\System32\mmc.dll
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
Once windows has re-started go start run type in
sc delete cmdservice
press ok or hit enter
go start run type in
sc delete winupd
press ok or hit enter
Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cubnq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,nqhqbgp.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [9498f6e6.exe] C:\WINDOWS\System32\9498f6e6.exe
O4 - HKLM\..\Run: [defender] C:\\dfndre_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [w00214fe.dll] RUNDLL32.EXE w00214fe.dll,I2 0013a841000214fe
O4 - HKLM\..\Run: [uuzmwgbA] C:\WINDOWS\uuzmwgbA.exe
O4 - HKLM\..\Run: [Akebg] C:\Program Files\Ohipyc\Rvhth.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\nwinppez.exe CORN003
O4 - HKLM\..\Run: [newname] C:\\nwnme_5.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [juqfstlA] C:\WINDOWS\juqfstlA.exe
O4 - HKLM\..\Run: [{91-19-9E-E6-ZN}] c:\windows\system32\oodsregl.exe CORN003
O4 - HKLM\..\Run: [w00199ba.dll] RUNDLL32.EXE w00199ba.dll,I2 0013a841000199ba
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [9498f6e6.exe] C:\Documents and Settings\xxx\Local Settings\Application Data\9498f6e6.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Tuer] "C:\PROGRA~1\ASKS~1\regsvr32.exe" -vt yazr
O4 - HKCU\..\Run: [Fvokfde] C:\PROGRA~1\MCROSO~1.NET\WNLOGO~1.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinppez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll,mmc.dll
====================================
Hit fix checked and close Hijackthis.(not to worry about the hijackthis error)
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Why dont i see an antivirus program in your logs ?
Post back with a fresh HJT log
millerpal
2006-07-13, 00:49
Logfile of HijackThis v1.99.1
Scan saved at 4:44:36 PM, on 7/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insightbb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ldnbqx] C:\WINDOWS\System32\mljjqa.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iaucr] C:\WINDOWS\System32\mljjqa.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\juqfstl.exe (file missing)
AVG software is telling me there is a virus still - Downloader.Generic2.ESK, Downloader.Generic2.EVQ, Downloader.Generic2.EGW, Clicker.CKC....
Thanks for your help .
LonnyRJones
2006-07-13, 06:44
Hi
What are the file names and location that avg is reporting ?
You did let it repair/delete them and they still show up ?
Next step would be to restart your pc into safe mode run an avg full scan, then a check for problems with SpyBot.
But first run hijackthis and fix these items
O4 - HKLM\..\Run: [ldnbqx] C:\WINDOWS\System32\mljjqa.exe reg_run
O4 - HKCU\..\Run: [iaucr] C:\WINDOWS\System32\mljjqa.exe reg_run
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\juqfstl.exe (file missing)
============================
millerpal
2006-07-14, 00:39
Thank you for the help.
I did what you suggested and so far, so good. I am not seeing any indications of anything going on with the computer. Just to be sure, here is another HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 4:38:59 PM, on 7/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/index.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insightbb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
LonnyRJones
2006-07-14, 10:15
Looks ok
I would love to see a log after you visit windows update a couple times and get all critical updates.
This topic is closed.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.