View Full Version : Vcodec won't go away - HijackThis Log included
My PC is infected with some type of virus and I can't remove it.
I have tried the following:
Using a Bootup Cd I ran the following in DOS mode:
McAfee: nothing found.
F-Prot: nothing found.
Start Windows.
Run Ad-Adware: nothing found
Run Spybot: Vcodec.emedia found
I fix this problem and am told that the file is removed but each time after rebooting this file will reappear.
Run AVG Anti-Virus: a different reading error is found each time;
this time the misread file is called F:\WINDOWS\system32\djnkr.exe.
Other names have been mubqv.exe, qenap.exe, kedmx.exe, kishw.exe, fxalm.exe.
This file can not be deleted and the following error message is seen:
Cannot delete djnkr: It is being used by another person or program. Close ....... .
Deleting the misread file with HijackThis does not solve the problem.
What can I do to fix this problem?
Any help would be appreciated.
Here is my HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 12:58:14 PM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
F:\PROGRA~1\Yahoo!\YOP\yop.exe
F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\SetPoint\KEM.exe
F:\Program Files\Sony Handheld\HOTSYNC.EXE
F:\PROGRA~1\Yahoo!\browser\ycommon.exe
F:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
F:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\WINDOWS\system32\mshearts.exe
F:\WINDOWS\system32\spider.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\Yahoo!\browser\YBrowser.exe
F:\DOCUME~1\Husband\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - F:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YBrowser] F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] F:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [GW Port Controller] F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [djnkr.exe] F:\WINDOWS\system32\djnkr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = F:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MSWin.exe
O4 - Global Startup: SBC Self Support Tool.lnk = F:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096650681447
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04AC048C-6A8D-48E4-B10E-4BF63C997EC6}: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7CEB43-6B31-4A4E-8459-4E6AF8EFBBEF}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{73B3EF7F-BA14-498A-A7D8-3AE74C3C403E}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\..\{04AC048C-6A8D-48E4-B10E-4BF63C997EC6}: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - F:\WINDOWS\system32\YPCSER~1.EXE
pskelley
2006-09-20, 13:32
Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.
1) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
2) You may have a Smitfraud infection, this scan will find out.
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
3) You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
Restart the computer and post the results of the Smitfraudfix scan, C:\fixwareout\report.txt, a new HJT log and any comments you think will help.
Thanks
Thanks for the help pskelley.
I appreciate the time you are spending on this.
Since my first post I install and ran Symantec.
It caught Adware.Iplnsight and RazeSpyware.
RazeSpyware was responsible for ruining my desktop display.
I followed your instructions and the results are as follows:
After running the FixWareout, Symantec detected two programs:
BackDoor.Rustock.B
BackDoor.Rustock.A
Symantec took care of these.
When I tried the ipconfig /flushdns command the following message was seen:
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
SMITFRAUD LOG
SmitFraudFix v2.97
Scan done at 8:46:18.28, Thu 09/21/2006
Run from F:\Documents and Settings\Husband\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» F:\
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\Husband\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» F:\DOCUME~1\Husband\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» F:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
FIXWAREOUT LOG
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
Directory of F:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 10:29:58 AM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
F:\PROGRA~1\Yahoo!\YOP\yop.exe
F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
F:\PROGRA~1\Yahoo!\browser\ycommon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\SetPoint\KEM.exe
F:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
F:\Program Files\Sony Handheld\HOTSYNC.EXE
F:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\spider.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\Program Files\HJT\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - F:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YBrowser] F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] F:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [GW Port Controller] F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [hioxl.exe] F:\WINDOWS\system32\hioxl.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = F:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MSWin.exe
O4 - Global Startup: SBC Self Support Tool.lnk = F:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096650681447
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04AC048C-6A8D-48E4-B10E-4BF63C997EC6}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7CEB43-6B31-4A4E-8459-4E6AF8EFBBEF}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{73B3EF7F-BA14-498A-A7D8-3AE74C3C403E}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\..\{04AC048C-6A8D-48E4-B10E-4BF63C997EC6}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - F:\WINDOWS\system32\YPCSER~1.EXE
pskelley
2006-09-21, 19:40
Thanks for returning your information. This one may be more complex than I thought. Have you rebooted the computer since you posted this last HJT log? If not, would you make sure you can see all hidden files and folders like this:
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
search for and let us know if this file is still present:
F:\WINDOWS\system32\hioxl.exe
I would also like you to search for this item: MSWin.exe using these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
and post the results for us.
Thanks
I made the changes to allow me to see a hidden files and folders.
I could not find the file F:\WINDOWS|system32\hioxl.exe but I did find
hiole.exe in the following locations:
C:\RECYCLERS\S-1-5-21-515967899-507921405-725345543-1003
C:\RECYCLERS\S-1-5-21-515967899-507921405-725345543-1004
C:\RECYCLERS\S-1-5-21-515967899-507921405-725345543-1005
F:\RECYCLERS\S-1-5-21-515967899-507921405-725345543-1003
F:\RECYCLERS\S-1-5-21-515967899-507921405-725345543-1004
F:\RECYCLERS\S-1-5-21-515967899-507921405-725345543-1005
I found the file MSWIN.exe with Windows Explorer in this location:
F:\Documents and Settings\All Users\Start Menu\Programs\Startup.
I ran Kaspersky.
The results are as follows:
Monday, September 25, 2006 2:54:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/09/2006
Kaspersky Anti-Virus database records: 213215
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
E:\
F:\
Scan Statistics
Total number of scanned objects 92600
Number of viruses found 3
Number of infected objects 44 / 0
Number of suspicious objects 3
Duration of the scan process 00:39:33
Infected Object Name Virus Name Last Action
C:\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP732\change.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite1.zip/backWeb-8876480.exe Suspicious: Password-protected-EXE skipped
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite1.zip ZIP: suspicious - 1 skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
F:\Documents and Settings\Husband\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\History\History.IE5\MSHist012006092220060923\index.dat Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Temp\bbassistant.log Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Temp\Perflib_Perfdata_fac.dat Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Temp\~DF10C9.tmp Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Temp\~DF4C1F.tmp Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Temp\~DFE7A9.tmp Object is locked skipped
F:\Documents and Settings\Husband\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Husband\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Husband\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Son\Local Settings\Temporary Internet Files\Content.IE5\CAOI3TRB\deliver46860[1].htm Suspicious: Exploit.HTML.Mht skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
F:\Program Files\SBC Self Support Tool\log\mpbtn.log Object is locked skipped
F:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped
F:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped
F:\Program Files\SBC Self Support Tool\SmartBridge\SBExtHost.log Object is locked skipped
F:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped
F:\Program Files\Symantec AntiVirus\SAVRT\0796NAV~.TMP Object is locked skipped
F:\Program Files\Symantec AntiVirus\SAVRT\0810NAV~.TMP Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\billing_Husband.log Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\client_Husband.log Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\network_Husband.log Object is locked skipped
F:\RECYCLER\S-1-5-21-515967899-507921405-725345543-1003\Df1.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP689\A0044517.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP689\A0044531.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP689\A0044541.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP691\A0044557.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP692\A0044697.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP693\A0044714.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP694\A0044734.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP694\A0044756.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP694\A0044767.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP695\A0044783.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP696\A0044799.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP697\A0044821.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP697\A0044829.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP697\A0044839.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP698\A0044853.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP699\A0044866.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP700\A0044884.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP701\A0044891.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP701\A0044900.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP702\A0044914.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP703\A0044926.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP705\A0044955.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP707\A0044981.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP708\A0044999.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP709\A0045040.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP710\A0045054.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP710\A0045063.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP711\A0045079.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP711\A0045089.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP712\A0045101.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP713\A0045127.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP715\A0045144.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP716\A0045156.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP716\A0045166.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP717\A0045180.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP718\A0045195.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP720\A0045214.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP721\A0045243.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP722\A0045267.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP722\A0045290.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP723\A0045313.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP725\A0045410.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP725\A0045453.exe Infected: Trojan.Win32.DNSChanger.ef skipped
F:\System Volume Information\_restore{AE259F6A-CC20-4444-838B-49B1E7C697CB}\RP732\change.log Object is locked skipped
F:\WINDOWS\CSC\00000001 Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
When I was running Kaspersky in the above post Symantec
detected the following:
Risk: Trojan.Desktophijack, Action: Deleted, Count: 2,
Filename A0044565.exe,
Original Location: F:\System Volume Information\_restore
{AE259F6A-CC20-4444-838b-49B1E7C697CB}\RP692\
Risk: Trojan.Desktophijack, Action: Deleted, Count: 2,
Filename A0045014.exe,
Original Location: F:\System Volume Information\_restore
{AE259F6A-CC20-4444-838b-49B1E7C697CB}\RP709\
pskelley
2006-09-25, 23:28
Thanks for returning the information, thought I had lost you. The C:\RECYCLERS\ and F:\RECYCLERS\ are the Recycle bin and the numbers indicate the users who they are assigned to. How many users to you have on this computer? I have no idea why you have both C and F drives
I also asked for a scan of the file, not a Kaspersky scan. Please check again with one or more of those free online scanners. I am almost certain that is a bad item.
MSWIN.exe
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
If you use Kaspersky, do not use this: Free Online Virus Scanner use the simple file scanner here: Kaspersky File Scanner
Browse until the item is in the scan box and click submit, all three work about the same way.
Please post a new HJT log along with that information from the file scan.
Thanks
pskelley
2006-09-25, 23:37
F:\System Volume Information\_restore <<< that is your System Restore files and they can do you no harm in there unless you do a System Restore in which case they do get back on the computer. We will clean the SR files before we are done.
Please give me the information I need about that one file and a new HJT log so I can see where we are.
Thanks
I'm still here and I do appreciate the help.
My drive is partioned to a C: drive for data and F: drive for everything else.
There are three user each with their own separate login.
Jotti found problems with the file MSWin.exe.
Service
Service load: 0% 100%
File: MSWin.exe
Status: INFECTED/MALWARE
MD5 32a752c7df1e0e56b8b8cb3518b7e783
Packers detected: ASPACK
Scanner results
AntiVir Found Trojan/Dldr.JSF
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.Murlo
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
VirusTotal also found problems with file MSWin.exe.
I'm not sure what stopped the scan.
STATUS: STOPPEDService is stopped in this moments. Scanning of your sample has not been finalized and results has been lost. If you wish to scan it, please send it again.
Antivirus Version Update Result
AntiVir 7.2.0.18 09.25.2006 TR/Dldr.JSF
Authentium 4.93.8 09.25.2006 no virus found
Avast 4.7.844.0 09.25.2006 no virus found
AVG 386 09.25.2006 no virus found
BitDefender 7.2 09.26.2006 no virus found
CAT-QuickHeal 8.00 09.25.2006 Backdoor.Sdbot.gen
ClamAV devel-20060426 09.25.2006 no virus found
eTrust-InoculateIT 23.73.4 09.24.2006 no virus found
eTrust-Vet 30.3.3100 09.25.2006 Win32/Suspect
DrWeb 4.33 09.26.2006 no virus found
Ewido 4.0 09.25.2006 no virus found
Fortinet 2.82.0.0 09.25.2006 suspicious
F-Prot 3.16f 09.25.2006 no virus found
F-Prot4 4.2.1.29 09.25.2006 no virus found
Ikarus 0.2.65.0 09.25.2006 no virus found
Kaspersky 4.0.2.24 09.26.2006 no virus found
McAfee 4859 09.25.2006 Downloader-YO
Microsoft 1.1560 09.25.2006 no virus found
NOD32v2 1.1774 09.25.2006 a variant of Win32/TrojanDownloader.Murlo
Norman 5.80.02 09.25.2006 no virus found
Panda 9.0.0.4 09.25.2006 Trj/Downloader.JSF
Aditional Information
File size: 20992 bytes
MD5: 32a752c7df1e0e56b8b8cb3518b7e783
SHA1: 81dd1f0d8fea61b8c6c2ae24bb188d31b873578f
packers: Aspack
The results of HJT scan are as follows:
Logfile of HijackThis v1.99.1
Scan saved at 6:05:43 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
F:\PROGRA~1\Yahoo!\browser\ycommon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\SetPoint\KEM.exe
F:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
F:\Program Files\Sony Handheld\HOTSYNC.EXE
F:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\WINDOWS\system32\wuauclt.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\HJT\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - F:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YBrowser] F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] F:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [GW Port Controller] F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [hioxl.exe] F:\WINDOWS\system32\hioxl.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = F:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MSWin.exe
O4 - Global Startup: SBC Self Support Tool.lnk = F:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096650681447
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04AC048C-6A8D-48E4-B10E-4BF63C997EC6}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7CEB43-6B31-4A4E-8459-4E6AF8EFBBEF}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{73B3EF7F-BA14-498A-A7D8-3AE74C3C403E}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\..\{04AC048C-6A8D-48E4-B10E-4BF63C997EC6}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - F:\WINDOWS\system32\YPCSER~1.EXE
pskelley
2006-09-26, 03:27
Thanks for that information, that file needs to go, this is where you said the file was: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSWIN.exe It is likely you will have to delete it in safe mode, but we will see. I want you to understand that the 016 lines that look like this:
85.255.114.86 85.255.112.228 <<< are part of this Wareout infection. They are usually easy to remove, unless a program that blocks changes keep us from removing them. The only program I can see is this one:
F:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe which is obsolete, see this information:
http://www.russelltexas.com/malware/defender.htm
Understand that Microsoft purchased this product from Giant and it because Windows Defender as you saw in the link. You do need to update to the new free program, but for now I would like you to uninstall the old program in case it is blocking the HJT fix of Wareout.
This item: O4 - HKLM\..\Run: [hioxl.exe] F:\WINDOWS\system32\hioxl.exe <<< is also in the log. With all files and folder showing, you need to search for this file: F:\WINDOWS\system32\hioxl.exe and make sure it is where it says it is, or that you know where it is. Once we run HJT you must delete that file. This can be a very tricky removal, so be aware of what we must do. Make sure you still have the ATF-Cleaner on your Desktop, I suggest you keep that tool, it is a very good one. We will run the complete Fixwareout again, and see what happens.
Be sure you have uninstalled the old GIANT AntiSpyware so we know it is not blocking out fix.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hioxl.exe] F:\WINDOWS\system32\hioxl.exe
O4 - Global Startup: MSWin.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7CEB43-6B31-4A4E-8459-4E6AF8EFBBEF}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{73B3EF7F-BA14-498A-A7D8-3AE74C3C403E}: NameServer = 85.255.114.86,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.86 85.255.112.228
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
F:\WINDOWS\system32\hioxl.exe <<< delete that file
F:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSWIN.exe <<< delete that file
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the results of Fixwareout and a new HJT log.
I do not want you to be without protection, so download, install and run Windows Defender, let me know the results.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Thanks...Phil
I couldn't find hioxl.exe to delete it.
I couldn't find MSWIN.exe in the Startup directory. The only file I could find was MSWIN.exe-08AA3C8D.pf in the F:\WINDOWS|Prefetch directory. I deleted this file.
Results of Fixwareout:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
Directory of F:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
Results of HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:31:52 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
F:\PROGRA~1\Yahoo!\YOP\yop.exe
F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\Yahoo!\browser\ycommon.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\SetPoint\KEM.exe
F:\Program Files\Sony Handheld\HOTSYNC.EXE
F:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
F:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\Program Files\HJT\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - F:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YBrowser] F:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] F:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [GW Port Controller] F:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = F:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = F:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096650681447
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - F:\WINDOWS\system32\YPCSER~1.EXE
pskelley
2006-09-26, 12:04
Thanks for the feedback, more information about that item:
http://www.securitystronghold.com/gates/spyware-adware-solutions/MSWin_mswin.exe_solution.htm
Everything I see when I google indicates the item is bad, but I would like you to leave that file:
MSWIN.exe-08AA3C8D.pf in the F:\WINDOWS|Prefetch directory in the Recycle bin for a few days just to be positive it is bad, or you can scan it if you wish, if the scan indicates it is malware, delete it.
Looks like Fixwareout was able to remove the bad file that was restoring the bad 017 lines and the log looks clean of malware. Great job with those complex instructions:bigthumb: How is the computer running now?
There is a good possibility the old Giant program blocked us the first time. If you are going to use Windows Defender as part of your security, I would get it in place quickly.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...tashi:) will close the topic in a day or so.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
My computer looks good: Vcodec is gone.
I want to thank you for all the help.
There is no way I would have been able to figure out what to do.
I will read the information you referred to me and try and keep my system clean and safe.
Thank Again ...............
Cheers sir747. :)
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help.