Page 1 of 4 1234 LastLast
Results 1 to 10 of 31

Thread: Can someone check this HiJackthis Profile

  1. #1
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    Default Can someone check this HiJackthis Profile

    I got some webhancer, Mirar toolbar and optimizer and other spyware problems. Ran spyware S&D, mirar uninstaller, and del some of it. Now its alot better but occasionally slowing down browser IE and also occasional popups. I def see some problems in there but im not sure exactly what i need to do to remove all the spyware. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:49:51 PM, on 7/25/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\NORTON~2\navapw32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F0 - system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fkqvx.exe
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fkqvx.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qfwaiqr.exe
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsp1DA.dll
    O2 - BHO: (no name) - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O2 - BHO: (no name) - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
    O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
    O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: Java (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Microsoft AntiSpyware helper (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...es/int360.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1149093394186
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/downlo...-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,355

    Default

    Hi there.

    Please read:
    BEFORE you post and who will advise you. Preliminary Steps

    The log shows an outdated version of HJT; other instructions are also posted in that link regarding Spybot-S&D and an on-line anti virus scan.

    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Please see:
    You and Windows, a joint effort
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    Default

    OK, sorry for the late reply, had some problems. Anyway. Here is a new version of HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:35:18 AM, on 7/29/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\NORTON~2\navapw32.exe
    C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Common Files\AOL\1154071049\ee\aolsoftware.exe
    c:\program files\common files\aol\1154071049\ee\aim6.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fkqvx.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qfwaiqr.exe
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsp1DA.dll
    O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero

    Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    AntiVirus\NavShExt.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program

    Files\TGTSoft\StyleXP\TGT_BHO.dll
    O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file

    missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero

    Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

    AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
    O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program

    Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program

    Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

    (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} -

    C:\WINDOWS\System32\dmonwv.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file)

    (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -

    https://components.viewpoint.com/MTS...staller.v4/vet

    _install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/vehicles/2006/...ey_features/in

    t360.html
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

    http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

    http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsu...?1149093394186
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\dexplore.dll
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive

    Software\Diskeeper\DkService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

    AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

    %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

  4. #4
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    Default

    And here is a pandascan online log:




    Incident Status Location

    Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Services.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
    Spyware:spyware/whazit Not disinfected c:\windows\system32\kyf.dat
    Adware:adware/webhancer Not disinfected c:\windows\lastgood\webhdll.dll
    Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
    Adware:adware/dealhelper Not disinfected c:\windows\AppsInstalled.htm
    Adware:adware/ncase Not disinfected c:\windows\didduid.ini
    Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Owner\Application Data\Lycos
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/ist.istbar Not disinfected Windows Registry
    Spyware:spyware/media-motor Not disinfected Windows Registry
    Adware:adware/statblaster Not disinfected Windows Registry
    Adware:adware/popupsearches Not disinfected Windows Registry
    Adware:adware/mirar Not disinfected Windows Registry
    Adware:adware/startpage.na Not disinfected Windows Registry
    Spyware:spyware/clientman Not disinfected Windows Registry
    Adware:adware/cws.aboutblank Not disinfected Windows Registry
    Adware:adware/sbsoft Not disinfected Windows Registry
    Adware:adware/searchexe Not disinfected Windows Registry
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[www.burstbeacon.com/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[media.fastclick.net/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.fastclick.net/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.tribalfusion.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.questionmarket.com/]
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.ads.pointroll.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.8aw\cookies.txt[.serving-sys.com/]




    Thank you for the help

  5. #5
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    Default

    can someone help me? This seems to be getting worse. Popups ads come when i do searches usually.

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Im curious why youve never updated windows ?


    Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/qoofix.php
    1. Unzip all files to a convenient location such as C:\Qoofix.
    2. Go to the folder you unzipped all files and run Qoofix.exe.
    3. Click Begin Removal and wait for the scan to finish.
    4. If an infection has been found, select yes to restart your computer.

    Finally post the Qoofix logfile.

    Make a new hijackthis log and post it without the formating getting messed up please. you might need to turn edit > word wrap on or off
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  7. #7
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    Default

    Thank you so mcuh for the help.
    I dl that program and ran a scan - it came up with no infected files. I didnt know how to save or show you the log it had?

    Here is a HJT log i just made:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:08:22 PM, on 8/5/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\NORTON~2\navapw32.exe
    C:\Program Files\Common Files\{0064A29E-05F6-1033-1018-010419010001}\Update.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\AOL\1154071049\ee\aolsoftware.exe
    c:\program files\common files\aol\1154071049\ee\aim6.exe
    C:\Hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fazz's Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.35.26.163:8080
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
    O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
    O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarmPro 4\zapro.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...es/int360.html
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1149093394186
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\dexplore.dll
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Im curious why youve never updated windows ?
    A reply would be nice
    Im not implying to go update just now while infected

    Create a hijackthis uninstall list
    Start HiJackThis
    Press 'Config'
    Press 'Misc Tools'
    Press 'Open Uninstall Manager'
    Press 'Save List'
    Save the log to a convenient location
    Copy the log and post its contents in this thread
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  9. #9
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    Default

    o sorry - never got around to updating the OS. will when i get a chance to after this clears up.

    Here is the uninstall list from HJT:

    ABBYY FineReader 7.0 Professional Edition
    Ad-aware 6 Professional
    Adobe Acrobat 5.0
    Adobe Photoshop 7.0
    Adobe Reader 7.0.5
    Ahead Nero Burning ROM
    AIM Gadgets 2.70
    AOL Uninstaller (Choose which Products to Remove)
    Atomic Pop
    AtomixMP3 v2.3 Trial
    Belarc Advisor 7.1
    BitTorrent 4.4.1
    Blasterball Wild
    Calculator Powertoy for Windows XP
    Canon Camera Support Core Library
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window DVC for ZoomBrowser EX
    Canon Camera Window for ZoomBrowser EX
    Canon IXY 200a, PowerShot S200, IXUS v2 WIA Driver
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    DAEMON Tools
    Dark Orbit
    DealHelper
    Detto IntelliMover
    DFX for Winamp3 (remove only)
    DFX for Windows Media Player
    Diskeeper Professional Edition
    DivX
    DivX Player
    Enhanced Browser Overlay
    Forethought
    GemMaster 2
    Google Talk (remove only)
    Google Toolbar for Internet Explorer
    GSpot Codec Information Appliance
    HijackThis 1.99.1
    HP Instant Support
    HP RecordNow
    Icons
    Image Transfer
    IMG Tool (remove only)
    Inactive HP Printer Drivers (Remove only)
    Internet Explorer Q867801
    InterVideo WinDVD
    iPod for Windows User Guide
    iPod System Software Updater 2.1
    iTunes
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment Standard Edition v1.3.1_04
    KazooStudio
    KBD
    K-Lite Codec Pack 2.10 Full
    Lernout & Hauspie TruVoice American English TTS Engine
    LimeWire PRO 4.12.3
    LiveReg (Symantec Corporation)
    LiveUpdate 2.6 (Symantec Corporation)
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    MarketBrowser
    Masque Games on aim
    Microsoft Office XP Professional with FrontPage
    Microsoft XML Parser and SDK
    mobile PhoneTools
    Mozilla Firefox (0.9.3)
    Mozilla Firefox (1.0)
    MSXML 4.0 SP2 Parser and SDK
    MUSICMATCH Jukebox
    My Photo Center
    Nokia Multimedia Player
    Norton AntiVirus 2002
    Norton WMI Update
    NVIDIA Display Driver
    NVIDIA Windows 2000/XP Display Drivers
    One-on-One Diagnostic
    Outlook Express Update Q330994
    Panda ActiveScan
    PC-Doctor for Windows
    PeerGuardian v1.99pr7
    PigPen
    PowerDVD
    PS2
    Python 1.5 combined Win32 extensions
    Python 1.5.2 (final)
    Quicklinks
    QuickTime
    RealOne Player
    S3 Gamma
    S3 Savage4 Family Display Switch2 Utility
    SabreWing 2
    SE Helper Library
    Shockwave
    Sonic Foundry Super Duper Music Looper XPress
    Space Rocks
    Speedway
    Spybot - Search & Destroy 1.2
    SpywareBlaster v3.1
    StyleXP (remove only)
    Tcl 8.0.5 for Windows
    TI Connect(TM) 1.3
    TI-Black Link
    TI-Graph Link 83 Plus
    Tweakui Powertoy for Windows XP
    USB
    VideoLAN VLC media player 0.6.2
    Wild Wave Screens
    WildTangent Channel Manager
    WildTangent Multiplayer Library
    Winamp (remove only)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player Hotfix [See wm828026 for more information]
    Windows XP Application Compatibility Update[Q319580]
    Windows XP Hotfix - KB821557
    Windows XP Hotfix - KB823182
    Windows XP Hotfix - KB823559
    Windows XP Hotfix - KB823980
    Windows XP Hotfix - KB824105
    Windows XP Hotfix - KB824141
    Windows XP Hotfix - KB824146
    Windows XP Hotfix - KB825119
    Windows XP Hotfix - KB828035
    Windows XP Hotfix - KB828741
    Windows XP Hotfix - KB835732
    Windows XP Hotfix - KB837001
    Windows XP Hotfix - KB839645
    Windows XP Hotfix - KB840315
    Windows XP Hotfix - KB840374
    Windows XP Hotfix - KB841873
    Windows XP Hotfix - KB842773
    Windows XP Hotfix (SP1) [See Q307869 for more information]
    Windows XP Hotfix (SP1) [See Q309521 for more information]
    Windows XP Hotfix (SP1) [See Q310437 for more information]
    Windows XP Hotfix (SP1) [See Q311542 for more information]
    Windows XP Hotfix (SP1) [See Q311889 for more information]
    Windows XP Hotfix (SP1) [See Q311967 for more information]
    Windows XP Hotfix (SP1) [See Q313450 for more information]
    Windows XP Hotfix (SP1) [See Q314862 for more information]
    Windows XP Hotfix (SP1) [See Q315000 for more information]
    Windows XP Hotfix (SP1) [See Q315403 for more information]
    Windows XP Hotfix (SP1) [See Q317277 for more information]
    Windows XP Hotfix (SP1) [See Q318138 for more information]
    Windows XP Hotfix (SP1) [See Q318388 for more information]
    Windows XP Hotfix (SP1) [See Q318966 for more information]
    Windows XP Hotfix (SP1) [See Q319322 for more information]
    Windows XP Hotfix (SP1) [See Q319949 for more information]
    Windows XP Hotfix (SP1) [See Q320174 for more information]
    Windows XP Hotfix (SP1) [See Q320552 for more information]
    Windows XP Hotfix (SP1) [See Q320678 for more information]
    Windows XP Hotfix (SP1) [See Q323172 for more information]
    Windows XP Hotfix (SP1) [See Q324096 for more information]
    Windows XP Hotfix (SP1) [See Q324380 for more information]
    Windows XP Hotfix (SP1) [See Q326830 for more information]
    Windows XP Hotfix (SP1) [See Q328940 for more information]
    Windows XP Hotfix (SP1) [See Q329048 for more information]
    Windows XP Hotfix (SP1) [See Q329390 for more information]
    Windows XP Hotfix (SP1) [See Q329441 for more information]
    Windows XP Hotfix (SP1) [See Q329834 for more information]
    Windows XP Hotfix (SP1) Q328310
    Windows XP Hotfix (SP1) Q329170
    Windows XP Hotfix (SP1) Q331953
    Windows XP Hotfix (SP1) Q810577
    Windows XP Hotfix (SP1) Q811493
    Windows XP Hotfix (SP1) Q815021
    Windows XP Hotfix (SP1) Q817606
    Windows XP Hotfix (SP1) Q819696
    Windows XP Hotfix (SP2) [See Q329115 for more information]
    WinPcap 3.1 beta3
    WinRAR archiver
    WinZip
    XChange 360
    Yahoo! Messenger
    Zero-Knowledge Freedom
    ZoneAlarm Pro

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    In windows control panel addremove programs uninstall each of these programs, reboot if prompted.
    DealHelper
    Forethought
    Icons
    MarketBrowser
    Enhanced Browser Overlay
    Quicklinks
    Recommended uninstall's>
    WildTangent Channel Manager
    WildTangent Multiplayer Library
    ----------------------------------

    Start Hijackthis and place a check next to these items If there.
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {E9BFE7B3-D326-4A6E-900B-AA1210B4F158} - \
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\Run: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\Run: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
    O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
    O4 - HKLM\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKLM\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKLM\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKLM\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKLM\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKLM\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe
    O4 - HKCU\..\Run: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [MS Manager Socket] C:\WINDOWS\SYSTEM32\OSAV32.exe
    O4 - HKCU\..\RunServices: [Current Service Validation] C:\WINDOWS\SYSTEM32\SysDllServ.exe
    O4 - HKCU\..\RunServices: [XP Manager Socket] C:\WINDOWS\SYSTEM32\OSAVCfg.exe
    O4 - HKCU\..\RunServices: [NT Application Server] C:\WINDOWS\SYSTEM32\MSAVCfg.exe
    O4 - HKCU\..\RunServices: [Admin Manager Update] C:\WINDOWS\SYSTEM32\SysExec.exe
    O4 - HKCU\..\RunServices: [Windows Validation Client] C:\WINDOWS\SYSTEM32\DBExecCom.exe

    O9 - Extra button: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5372F3CD-00CC-4FDD-9F9E-960C0876FEC5} - (no file) (HKCU)

    Im unsure of this item, if you are to fix it
    O8 - Extra context menu item: bugmenot - file://C:\Program Files\bugmenot.htm
    ====================================
    Hit fix checked and close Hijackthis.
    Restart the PC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Outdated program's
    Uninstall > Spybot - Search & Destroy 1.2
    Install update, check for and fix any problems found with SSD 1.4
    http://www.safer-networking.org/index.php?page=tutorial
    Uninstall > SpywareBlaster v3.1
    download and install the curren version http://www.javacoolsoftware.com/spywareblaster.html
    these old versons should be uninstalled
    J2SE Runtime Environment 5.0 Update 1
    Java 2 Runtime Environment Standard Edition v1.3.1_04

    Post a new hijackthis log in one reply and a combofix log in another

    Post a combofix log
    1. Download this file - combofix.exe
    http://download.bleepingcomputer.com/sUBs/combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    If the log is large You might need to post half in one reply half in another.

    Are you willing to replace norton ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •