View Full Version : Can someone check this HiJackthis Profile
I got some webhancer, Mirar toolbar and optimizer and other spyware problems. Ran spyware S&D, mirar uninstaller, and del some of it. Now its alot better but occasionally slowing down browser IE and also occasional popups. I def see some problems in there but im not sure exactly what i need to do to remove all the spyware. Thanks.
Logfile of HijackThis v1.97.7
Scan saved at 10:49:51 PM, on 7/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fkqvx.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fkqvx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qfwaiqr.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsp1DA.dll
O2 - BHO: (no name) - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra 'Tools' menuitem: Java (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft AntiSpyware helper (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/vehicles/2006/4runner/key_features/int360.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149093394186
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Hi there.
Please read:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)
The log shows an outdated version of HJT; other instructions are also posted in that link regarding Spybot-S&D and an on-line anti virus scan.
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Please see:
You and Windows, a joint effort (http://forums.spybot.info/showpost.php?p=25290&postcount=4) :)
OK, sorry for the late reply, had some problems. Anyway. Here is a new version of HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:35:18 AM, on 7/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\AOL\1154071049\ee\aolsoftware.exe
c:\program files\common files\aol\1154071049\ee\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fkqvx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qfwaiqr.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsp1DA.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero
Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program
Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file
missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero
Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program
Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program
Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
(file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} -
C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file)
(HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet
_install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/vehicles/2006/4runner/key_features/in
t360.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149093394186
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dexplore.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive
Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -
%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
And here is a pandascan online log:
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Services.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
Spyware:spyware/whazit Not disinfected c:\windows\system32\kyf.dat
Adware:adware/webhancer Not disinfected c:\windows\lastgood\webhdll.dll
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Adware:adware/dealhelper Not disinfected c:\windows\AppsInstalled.htm
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Owner\Application Data\Lycos
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/statblaster Not disinfected Windows Registry
Adware:adware/popupsearches Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/startpage.na Not disinfected Windows Registry
Spyware:spyware/clientman Not disinfected Windows Registry
Adware:adware/cws.aboutblank Not disinfected Windows Registry
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.doubleclick.net/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[media.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.questionmarket.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.serving-sys.com/]
Thank you for the help
can someone help me? This seems to be getting worse. Popups ads come when i do searches usually.
LonnyRJones
2006-08-05, 08:42
Hi
Im curious why youve never updated windows ?
Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/qoofix.php
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Finally post the Qoofix logfile.
Make a new hijackthis log and post it without the formating getting messed up please. you might need to turn edit > word wrap on or off
Thank you so mcuh for the help.
I dl that program and ran a scan - it came up with no infected files. I didnt know how to save or show you the log it had?
Here is a HJT log i just made:
Logfile of HijackThis v1.99.1
Scan saved at 5:08:22 PM, on 8/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1154071049\ee\aolsoftware.exe
c:\program files\common files\aol\1154071049\ee\aim6.exe
C:\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/vehicles/2006/4runner/key_features/int360.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149093394186
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dexplore.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
LonnyRJones
2006-08-06, 03:15
Im curious why youve never updated windows ?
A reply would be nice
Im not implying to go update just now while infected
Create a hijackthis uninstall list
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread
o sorry - never got around to updating the OS. will when i get a chance to after this clears up.
Here is the uninstall list from HJT:
ABBYY FineReader 7.0 Professional Edition
Ad-aware 6 Professional
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Adobe Reader 7.0.5
Ahead Nero Burning ROM
AIM Gadgets 2.70
AOL Uninstaller (Choose which Products to Remove)
Atomic Pop
AtomixMP3 v2.3 Trial
Belarc Advisor 7.1
BitTorrent 4.4.1
Blasterball Wild
Calculator Powertoy for Windows XP
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon IXY 200a, PowerShot S200, IXUS v2 WIA Driver
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
DAEMON Tools
Dark Orbit
DealHelper
Detto IntelliMover
DFX for Winamp3 (remove only)
DFX for Windows Media Player
Diskeeper Professional Edition
DivX
DivX Player
Enhanced Browser Overlay
Forethought
GemMaster 2
Google Talk (remove only)
Google Toolbar for Internet Explorer
GSpot Codec Information Appliance
HijackThis 1.99.1
HP Instant Support
HP RecordNow
Icons
Image Transfer
IMG Tool (remove only)
Inactive HP Printer Drivers (Remove only)
Internet Explorer Q867801
InterVideo WinDVD
iPod for Windows User Guide
iPod System Software Updater 2.1
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_04
KazooStudio
KBD
K-Lite Codec Pack 2.10 Full
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire PRO 4.12.3
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
MarketBrowser
Masque Games on aim
Microsoft Office XP Professional with FrontPage
Microsoft XML Parser and SDK
mobile PhoneTools
Mozilla Firefox (0.9.3)
Mozilla Firefox (1.0)
MSXML 4.0 SP2 Parser and SDK
MUSICMATCH Jukebox
My Photo Center
Nokia Multimedia Player
Norton AntiVirus 2002
Norton WMI Update
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
One-on-One Diagnostic
Outlook Express Update Q330994
Panda ActiveScan
PC-Doctor for Windows
PeerGuardian v1.99pr7
PigPen
PowerDVD
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicklinks
QuickTime
RealOne Player
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
SabreWing 2
SE Helper Library
Shockwave
Sonic Foundry Super Duper Music Looper XPress
Space Rocks
Speedway
Spybot - Search & Destroy 1.2
SpywareBlaster v3.1
StyleXP (remove only)
Tcl 8.0.5 for Windows
TI Connect(TM) 1.3
TI-Black Link
TI-Graph Link 83 Plus
Tweakui Powertoy for Windows XP
USB
VideoLAN VLC media player 0.6.2
Wild Wave Screens
WildTangent Channel Manager
WildTangent Multiplayer Library
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q307869 for more information]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q310437 for more information]
Windows XP Hotfix (SP1) [See Q311542 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q318388 for more information]
Windows XP Hotfix (SP1) [See Q318966 for more information]
Windows XP Hotfix (SP1) [See Q319322 for more information]
Windows XP Hotfix (SP1) [See Q319949 for more information]
Windows XP Hotfix (SP1) [See Q320174 for more information]
Windows XP Hotfix (SP1) [See Q320552 for more information]
Windows XP Hotfix (SP1) [See Q320678 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinPcap 3.1 beta3
WinRAR archiver
WinZip
XChange 360
Yahoo! Messenger
Zero-Knowledge Freedom
ZoneAlarm Pro
LonnyRJones
2006-08-06, 08:17
In windows control panel addremove programs uninstall each of these programs, reboot if prompted.
DealHelper
Forethought
Icons
MarketBrowser
Enhanced Browser Overlay
Quicklinks
Recommended uninstall's>
WildTangent Channel Manager
WildTangent Multiplayer Library
----------------------------------
Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
O9 - Extra button: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
Im unsure of this item, if you are to fix it
O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Outdated program's
Uninstall > Spybot - Search & Destroy 1.2
Install update, check for and fix any problems found with SSD 1.4
http://www.safer-networking.org/index.php?page=tutorial
Uninstall > SpywareBlaster v3.1
download and install the curren version http://www.javacoolsoftware.com/spywareblaster.html
these old versons should be uninstalled
J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment Standard Edition v1.3.1_04
Post a new hijackthis log in one reply and a combofix log in another
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Are you willing to replace norton ?
ok i did everything, uninstall, updated programs, HJT fixes. I dont have anyt money to update norton at the time. Hopefully in the future. I do have updated definitions running on my 2002 tho.
Here is the combofix log:
Start Time= Sun 08/06/2006 16:37:20.99
Running from: C:\Documents and Settings\Owner\Desktop
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-08-06 16:18:04 ( .D... ) "C:\Program Files\SpywareBlaster"
2006-07-31 13:50:54 59904 ( A.... ) "C:\WINDOWS\SYSTEM32\adrotate.dll"
2006-07-29 01:33:30 ( .D... ) "C:\Program Files\utorrent"
2006-07-29 01:05:40 ( .D... ) "C:\Documents and Settings\Owner\Application Data\uTorrent"
2006-07-28 04:41:30 ( .D... ) "C:\Documents and Settings\Owner\Application Data\JAMS"
2006-07-28 04:39:44 ( .D... ) "C:\Program Files\AIM Gadgets"
2006-07-28 03:19:36 ( .D... ) "C:\Documents and Settings\Owner\Application Data\acccore"
2006-07-28 03:17:56 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-07-28 03:17:30 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-07-28 03:17:30 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-07-28 03:17:18 ( .D... ) "C:\Program Files\AOL"
2006-07-25 17:18:08 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-25 17:04:06 ( .D... ) "C:\Program Files\Common
Files\{0064A29E-05F6-1033-1018-010419010001}"
2006-07-18 14:34:56 ( .D... ) "C:\Program Files\Datel"
2006-07-15 20:38:00 ( .D... ) "C:\Program Files\QuickTime"
2006-07-15 20:14:44 ( .D... ) "C:\Program Files\iTunes"
2006-06-29 05:24:10 83456 ( A.... ) "C:\WINDOWS\SYSTEM32\nsp1DA.dll"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\SYSTEM32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\SYSTEM32\ts_mediamotor.exe"
2006-06-02 22:09:36 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\rmoc3260.dll"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-31 13:50 59,904 C:\WINDOWS\system32\adrotate.dll
2006-07-29 00:12 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-29 00:12 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-06-29 05:24 83,456 C:\WINDOWS\system32\nsp1DA.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"S3TRAY2"="S3tray2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"USB"="C:\\WINDOWS\\system32\\usb.exe"
"nwiz"="nwiz.exe /install"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~2\\zlclient.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~2\\navapw32.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Aim6"=""
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{0064A29E-05F6-1033-1018-010419010001}"="\"C:\\Program Files\\Common
Files\\{0064A29E-05F6-1033-1018-010419010001}\\Update.exe\" mc-110-12-0000103"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Image Transfer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Image Transfer.lnk"
"backup"="C:\\WINDOWS\\pss\\Image Transfer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SONYCO~1\\IMAGET~1\\SonyTray.exe "
"item"="Image Transfer"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~1\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and
Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\BitTorrent.lnk"
"backup"="C:\\WINDOWS\\pss\\BitTorrent.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\BITTOR~1\\BITTOR~1.EXE "
"item"="BitTorrent"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\cvn0.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin Manager Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SysExec"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\SYSTEM32\\SysExec.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamWizard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CamWizrd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Logitech\\QCDRV\\BIN\\CamWizrd.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Daemon Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCActiveMenu"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\ActiveMenu\\DDCActiveMenu.exe\" -boot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCMan"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\DDCManager\\DDCMan.exe\" -Background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndref_7"
"hkey"="HKLM"
"command"="C:\\\\dfndref_7.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="digstream"
"hkey"="HKLM"
"command"="C:\\Program Files\\DIGStream\\digstream.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESPN360]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="espn360"
"hkey"="HKCU"
"command"="C:\\Program Files\\ESPN360\\bin\\espn360.exe -nogui"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AbbyyNewsReader"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ABBYY FineReader 7.0 Professional Edition\\AbbyyNewsReader.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FreeRAM XP Pro"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\wfxqhv.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdef_7"
"hkey"="HKLM"
"command"="C:\\\\kybrdef_7.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Manager Socket]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OSAV32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSTEM32\\OSAV32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmc"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\msmc.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NT Application Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSAVCfg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSTEM32\\MSAVCfg.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Online News Screensaver]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="onsagent"
"hkey"="HKCU"
"command"="C:\\Program Files\\Online News Screensaver\\onsagent.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGtray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dsidebar"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Desktop Sidebar\\dsidebar.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soui5RiW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Soui5RiW"
"hkey"="HKLM"
"command"="c:\\documents and settings\\owner\\local settings\\temp\\Soui5RiW.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StyleXP"
"hkey"="HKCU"
"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Media]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Tvm"
"hkey"="HKLM"
"command"="C:\\Program Files\\TV Media\\Tvm.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Validation Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DBExecCom"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\SYSTEM32\\DBExecCom.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinProfile]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sndcfg16"
"hkey"="HKLM"
"command"="sndcfg16.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Manager Socket]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OSAVCfg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSTEM32\\OSAVCfg.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Freedom"
"hkey"="HKCU"
"command"="C:\\Program Files\\Zero Knowledge\\Freedom\\Freedom.exe"
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Sun 08/06/2006 16:37:35.29
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:44:09 PM, on 8/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\AOL\1154071049\ee\aolsoftware.exe
c:\program files\common files\aol\1154071049\ee\aim6.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero
Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program
Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero
Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe"
-win
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet
_install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/vehicles/2006/4runner/key_features/in
t360.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149093394186
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dexplore.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive
Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -
%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Hey I forgot to tell you, ive had that dealhelper problem for awhile, i dont think the actual program is still running bc i got rid of it awhile ago. However, in my Add/Remove Programs list - Dealhelper has always given me problems when I try to uninstall it. It gives me the message "Installation Log File Not Found!" So Im not sure whats up with the Dealhelper, if its still on my comp or not. The size listed on my Add/Remove list is around 2 GB too. Thanks for all the help.
LonnyRJones
2006-08-07, 05:26
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin Manager Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Manager Socket]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NT Application Server]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soui5RiW.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Media]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Validation Client]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinProfile]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Manager Socket]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DealHelper]
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC and delete these files and folder
C:\WINDOWS\SYSTEM32\icon_mediamotor.exe
C:\WINDOWS\SYSTEM32\ts_mediamotor.exe
C:\C:\WINDOWS\system32\adrotate.dll
c:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}
Norton 2002, a bit outdated, not worth having even if it can still update,
I personaly dont recommend even the current norton or symantect programs.
Why Not uninstall all of your norton program and install a free program ?
Several to choose from here
http://forums.spybot.info/showthread.php?t=279
OK i did everything, i couldnt find the one file called "system32\adrotate.dll" however. I will try to update my AV software soon i hope. Anything else I must do?
LonnyRJones
2006-08-07, 07:40
Yes , Im worried about all the unidentified items we have fixed earlyer in this thread
uninstall norton reboot and install either avg, avast or antivir then do a full system scan, preferably while the pc is in safe mode (not safe mode with networking)
ok i uninstalled Norton AV 2002, installed AVG. Im not too familiar with using SafeMode. How do I start it, and does it work like normal after that? And when I do run the scan, should I remove anything it detects, then get back to you?
LonnyRJones
2006-08-07, 08:33
Hi
Im only suggesting to run it in safe mode this time, or in the future if the av program has trouble with an infection.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx
Yes let it fix/delete/quorentine anything it finds
ok scanned with AVG in safe mode, it removed one file.
LonnyRJones
2006-08-07, 10:01
Thats all ? do you remember the files name and location ?
Post back in about a full day and let us know how that PC is, in the meantime take some preventative measures
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Actually I see now that hte AVG removed 15 files, not 1. Here are the files:
This one was located in: C:\
VSL.dl_
These all were located in:
C:\System Volume Information\_restore{"bunch of letters"}\RP550\
A0109210.exe
A0109212.exe
A0109214.exe
A0109216.exe
A0114607.dll
A0114608.exe
A0114612.exe
A0114615.exe
A0114621.exe
A0114627.exe
A0114628.exe
A0114629.exe
A0114630.exe
A0114631.exe
The computer seems to be working much better now, no popups so far. Updated to SP2, defragged and things. Ill check out that host file thing too. Is it necessary?
O I forgot to ask you about that Dealhelper problem I mentioned before. It still shows up on my Add/Remove Programs however I dont ever see any symptoms of it, I think I did remove it in the past. It still shows in the Add/Remove section with 2.8 GB space taken up. How do I know if it is still on my computer and anyway to recover this space if it is really being used?
LonnyRJones
2006-08-08, 02:30
Yes an updated hosts file is a must.
Included in that reg file was a line that should have removed dealhelper from addremove, have you checked since then ?
If it is still there run Hijackthis click config > msie tools >open uninstall manager, hilight dealhelper what is the uninstall command over to the right ?
while it is still hilighted choose delete this entry.
Updated to SP2,. Fantastic, be sure to revisit windows update after sp2 was installed, there are probaly a few more crittical updates.
Yea I just checked and the Dealhelper is still there and its bigger than it orginially was, now at 3.0 GB. On the HJT uninstall manager it says next to Uninstall Command: "C:\WINDOWS\Uninstall.exe" "C:\Program Files\DealHelper.com Inc.\dhuninst.log"
If i choose to del the entry, will it completely remove any traces of the program? Or add that 3 GB to my free space?
LonnyRJones
2006-08-08, 03:41
Not to worry about the size.
can you delete this file and folder ?
C:\WINDOWS\Uninstall.exe
C:\Program Files\DealHelper.com Inc
Yea the C:\Windows\Uninstall.exe is there however the other Program Files folder is not, I believe I deleted that one a long time ago. What should I do? Just delete Uninstall.exe and remove the Add/Remove entry with HJT?
LonnyRJones
2006-08-08, 03:59
Just delete Uninstall.exe and remove the Add/Remove entry with HJT?
Yes
If there are no current problems Purge System Restore
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
OK did all that. Anything else to do?
LonnyRJones
2006-08-08, 04:28
No, but Post back in a few days and let us know if that PC is still ok
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.
Applies only to the original topic starter.
Thank you Lonny