View Full Version : please assist with hjt log
alexbutterfield
2006-08-26, 18:14
Hi I'm new to hjt but wondered if anyone could help, I've been running avg and ad-aware to try and eliminate popups that tell me i have a malware problem among other things. these warnings which look like regular windows warnigns direct me to sites where i have to buy software.
here is my log.
Logfile of HijackThis v1.99.1
Scan saved at 17:06:06, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
I:\WINDOWS\System32\Ati2evxx.exe
I:\WINDOWS\System32\CTsvcCDA.exe
i:\program files\mcafee.com\agent\mcdetect.exe
i:\PROGRA~1\mcafee.com\agent\mctskshd.exe
I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\MsPMSPSv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
I:\WINDOWS\system32\ishost.exe
I:\WINDOWS\system32\isnotify.exe
I:\WINDOWS\system32\issearch.exe
I:\WINDOWS\system32\ismon.exe
I:\Program Files\Microsoft IntelliType Pro\type32.exe
I:\Program Files\Microsoft IntelliPoint\point32.exe
I:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\DAEMON Tools\daemon.exe
I:\WINDOWS\system32\658b867f.exe
I:\WINDOWS\system32\ca64a6b.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\ipwins\ipwins.exe
I:\Program Files\Common Files\{BC58AF4D-0966-2057-1118-03030801002c}\Update.exe
I:\Program Files\Mozilla Firefox\firefox.exe
J:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
I:\Program Files\Grisoft\AVG Free\avgcc.exe
I:\Program Files\Grisoft\AVG Free\avgwb.dat
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\WinRAR\WinRAR.exe
I:\DOCUME~1\home\LOCALS~1\Temp\Rar$EX00.782\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - I:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [type32] "I:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "I:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MCAgentExe] i:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] I:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] I:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [UpdReg] I:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] I:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "I:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [658b867f.exe] I:\WINDOWS\system32\658b867f.exe
O4 - HKLM\..\Run: [SpyQuake2.com] I:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKLM\..\Run: [ca64a6b.exe] I:\WINDOWS\system32\ca64a6b.exe
O4 - HKLM\..\Run: [IpWins] I:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [McRegWiz] i:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WhenUSave] "I:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [658b867f.exe] I:\Documents and Settings\home\Local Settings\Application Data\658b867f.exe
O4 - HKCU\..\Run: [ca64a6b.exe] I:\Documents and Settings\home\Local Settings\Application Data\ca64a6b.exe
O4 - HKCU\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - I:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - I:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - I:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - I:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - I:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - I:\WINDOWS\aG9tZTE\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - i:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - i:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - I:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Network Monitor - Unknown owner - I:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
thanks
pskelley
2006-08-27, 13:03
Welcome to the forum, follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks...pskelley
Safer Networking Forums
If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/
alexbutterfield
2006-09-01, 18:16
having completed all the instructions in the Smitfraud:spyaxe, spywarefalcon, and other desktop hijacks thread I would appreciate any advice based upon these logs.
rapport.txt:
SmitFraudFix v2.81
Scan done at 12:52:55.93, 01/09/2006
Run from I:\Documents and Settings\home\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
alexbutterfield
2006-09-01, 18:17
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 16:31:05 01/09/2006
+ Scan result:
HKU\S-1-5-21-1645522239-1454471165-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1645522239-1454471165-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave\Partners\WUSV -> Adware.SaveNow : Cleaned with backup (quarantined).
I:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
I:\WINDOWS\system32\awtsrpm.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
I:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\CZYRQ1A9\srvpou[1].exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
I:\WINDOWS\system32\esgwlpvn.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Ignored.
:mozilla.66:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
I:\Documents and Settings\Mike\Cookies\mike@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
I:\Documents and Settings\Mike\Cookies\mike@bulldog.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.37:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.38:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.7:I:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\4agkqazp.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.8:I:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\4agkqazp.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.31:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.167:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.75:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.76:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.53:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.54:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.14:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.35:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.42:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.43:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.44:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.45:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.46:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.18:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.19:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.39:I:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\4agkqazp.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.55:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.56:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.15:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.16:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.17:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.138:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.25:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.26:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
I:\Documents and Settings\home\Cookies\home@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.27:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.28:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.29:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.30:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.79:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.80:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.70:I:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\dkw63vue.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
I:\Documents and Settings\home\Cookies\home@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
alexbutterfield
2006-09-01, 18:17
Logfile of HijackThis v1.99.1
Scan saved at 16:48:01, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\explorer.exe
I:\DOCUME~1\home\LOCALS~1\Temp\Rar$EX00.985\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F636BB81-7A32-4DF8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
R3 - URLSearchHook: (no name) - {894BCC81-7640-4DC8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {894BCC81-7640-4DC8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O2 - BHO: McAfee Privacy Service Helper Object - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - I:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: (no name) - {DD01A7DC-E500-45E1-B703-2CFC8BCE0E4E} - I:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {F636BB81-7A32-4DF8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [type32] "I:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "I:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [McAfee Guardian] I:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [UpdReg] I:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] I:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "I:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MCUpdateExe] i:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "I:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [658b867f.exe] I:\Documents and Settings\home\Local Settings\Application Data\658b867f.exe
O4 - HKCU\..\Run: [ca64a6b.exe] I:\Documents and Settings\home\Local Settings\Application Data\ca64a6b.exe
O4 - HKCU\..\Run: [Ahdd] "I:\PROGRA~1\WNSXS~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ixcdfo] J:\My Docs\??curity\j?vaw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - I:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - I:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - I:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O20 - Winlogon Notify: jkkll - I:\WINDOWS\system32\jkkll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - I:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - I:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - J:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - i:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - i:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - I:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I was closing this topic (due to lack of a response) when I found another new topic which I have merged. ;)
alexbutterfield, please click 'Post Reply' rather than 'Start new topic'
Thanks. :)
pskelley
2006-09-02, 20:00
Thanks for returning the information, please make sure you read and understand all instructions,
post the three logs in this same topic using the "Post Reply" button.
alexbutterfield, please click 'Post Reply' rather than 'Start new topic'
You are running HJT from a Temp folder, this is not safe as we will not have backups if needed, move HJT to here: C:\HJT\HijackThis.exe. If you need more instructions, use these:
http://russelltexas.com/malware/createhjtfolder.htm
http://www.bleepingcomputer.com/forums/tutorial94.html
This HJT log was run in Safe Mode, I need to see all HJT logs in Normal Mode with no formating unless I request otherwise.
Open Start > Control Panell > Add Remove Programs. Uninstall PuritySCAN By OIN, OIN or OuterInfo or anything that mentions any of those. While you are there, look at the programs and uninstall any you know do not belong there, if you are unsure let me know and I will look.
If you see none of those to uninstall, then download and run this uninstaller: http://www.outerinfo.com/howto.html
Restart the computer and post a new HJT log that is run in Normal Mode as instructed above. We do have more work to do.
Thanks
alexbutterfield
2006-09-03, 19:09
Sorry I started a new topic, I thought it might be better since I was running a new HJT scan, but I'll strick to this one if I need to post anymore.
I removed a program with OIN in the name, but I've forgotten the actual name, it was late yesterday and having dine that and while trying to move HJT the PC froze, sort of, I was still able to use task manager, but everything else was frozen - I dunno if that's connected.
Also since I ran all the scans a few days ago, the popups directing to buy antivirus software seem to have stopped, although there are a few other popups (not since I removed OIN to my knowledge though). However other problems have occurred, such as the freeze which has never happened before, and a 'no disc in drive' 'retry/cancel/continue' message keeps appearing, this also appeared throughout my use of Spybot, which meant I had to sit for 15 minutes clicking the mouse on continue as there was no checkbox for 'use this answer all the time'/'yes to all' kind of thing. I dont know if this is just me or what.
anyway, so I've moved HJT to a permanent folder and this is the resutling scan:
Logfile of HijackThis v1.99.1
Scan saved at 17:59:24, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
I:\WINDOWS\System32\Ati2evxx.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
I:\WINDOWS\System32\CTsvcCDA.exe
J:\Program Files\ewido anti-spyware 4.0\guard.exe
i:\program files\mcafee.com\agent\mcdetect.exe
i:\PROGRA~1\mcafee.com\agent\mctskshd.exe
I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\MsPMSPSv.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
I:\Program Files\Microsoft IntelliType Pro\type32.exe
I:\Program Files\Microsoft IntelliPoint\point32.exe
I:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\DAEMON Tools\daemon.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\MSN Messenger\msnmsgr.exe
I:\PROGRA~1\WNSXS~1\notepad.exe
I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {1C48F561-6FDF-0349-A2AE-6043C467F591} - I:\WINDOWS\system32\pcljnjga.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C48F561-6FDF-0349-A2AE-6043C467F591} - I:\WINDOWS\system32\pcljnjga.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {894BCC81-7640-4DC8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O2 - BHO: McAfee Privacy Service Helper Object - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - I:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: (no name) - {DD01A7DC-E500-45E1-B703-2CFC8BCE0E4E} - I:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E2A995FC-5D1D-3681-39E8-5480783C52C9} - I:\WINDOWS\system32\bme.dll (file missing)
O2 - BHO: (no name) - {F636BB81-7A32-4DF8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [type32] "I:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "I:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [McAfee Guardian] I:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [UpdReg] I:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] I:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "I:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MCUpdateExe] I:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [658b867f.exe] I:\Documents and Settings\home\Local Settings\Application Data\658b867f.exe
O4 - HKCU\..\Run: [ca64a6b.exe] I:\Documents and Settings\home\Local Settings\Application Data\ca64a6b.exe
O4 - HKCU\..\Run: [Ahdd] "I:\PROGRA~1\WNSXS~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ixcdfo] J:\My Docs\??curity\j?vaw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - I:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O20 - Winlogon Notify: jkkll - I:\WINDOWS\system32\jkkll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - I:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - I:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - J:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - I:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - i:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - i:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - I:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanks
Alex
pskelley
2006-09-03, 20:39
Thanks for returning your information Alex, You still have a very infected computer. I was just wondering how this computer got this messed up? Please follow these directions in the posted order.
1) I:\Program Files\Java\jre1.5.0_04\ <<< Java is out of date and will get you more infections, see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Please update it and make sure all old versions are uninstalled in Add Remove programs.
2) You are running two antivirus programs at the same time and this has the opposite effect than you would think. Here, you read it:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
Uninstall on, then update and do a complete system scan with the other. If you have problems scanning wait until you have finished with HJT and then scan. Remove what the program finds and let me know the name and location (pathway) of anything that can not be removed.
3) You still have PurityScan adware in your log, look again in Add Remove programs for anything that does not belong there and also download and run this uninstaller: http://www.outerinfo.com/howto.html
4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - {1C48F561-6FDF-0349-A2AE-6043C467F591} - I:\WINDOWS\system32\pcljnjga.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {1C48F561-6FDF-0349-A2AE-6043C467F591} - I:\WINDOWS\system32\pcljnjga.dll
O2 - BHO: (no name) - {894BCC81-7640-4DC8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O2 - BHO: (no name) - {DD01A7DC-E500-45E1-B703-2CFC8BCE0E4E} - I:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E2A995FC-5D1D-3681-39E8-5480783C52C9} - I:\WINDOWS\system32\bme.dll (file missing)
O2 - BHO: (no name) - {F636BB81-7A32-4DF8-48D2-77F2BF0045CB} - I:\WINDOWS\system32\ucjecv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [658b867f.exe] I:\Documents and Settings\home\Local Settings\Application Data\658b867f.exe
O4 - HKCU\..\Run: [ca64a6b.exe] I:\Documents and Settings\home\Local Settings\Application Data\ca64a6b.exe
O4 - HKCU\..\Run: [Ahdd] "I:\PROGRA~1\WNSXS~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ixcdfo] J:\My Docs\??curity\j?vaw.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/z...ylomloader.cab
O20 - Winlogon Notify: jkkll - I:\WINDOWS\system32\jkkll.dll (file missing)
O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
(some of these may have been removed by the PurityScan uninstaller, just DO NOT miss any)
I:\PROGRAM FILES~1\WNSXS~1\ <<< delete that folder
J:\My Docs\??curity\ <<< delete that folder
(not sure here, could be MyDocuments\ )
I:\Documents and Settings\home\Local Settings\Application Data\658b867f.exe <<< delete that file
I:\Documents and Settings\home\Local Settings\Application Data\ca64a6b.exe <<< delete that file
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log, include any information I requested.
Thanks
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Thank you Phil.