Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91818 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Log help PLESAE...........


  • This topic is locked This topic is locked
21 replies to this topic

#1 trucker52

trucker52

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 10 November 2005 - 03:44 PM

Here is the log from my husbands computer. He is having trouble with the hour glass always running and sometimes the computer says there is a program running, but not that we can see. I think he has a virus or something. I cleaned the computer with spybot and he is using pc-cillin.
In his task bar at the bottom of the page there seem to be so many things there that I do not have on my computer. He has QuickTime which he doesn't know how it got there and can't seem to get rid of it.

His computer will freeze alot on him with the hour glass running and you can't do anything except shut down and then when you restart sometimes it will freeze right away and sometimes he can work for awhile befrore freezing up.

Please help.
thank you,
Diann

Log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:30:08 PM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Doug Hafeman\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.c...,139415,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /scan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B42FA82A-B13A-483D-8F78-8D4F8FA411F1} (ChengDu FlyDragon vision WebView) - http://65.97.145.37/long.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Edited by trucker52, 10 November 2005 - 03:47 PM.

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 12 November 2005 - 04:10 PM

Hi Diann, Welcome to TomCoyote forum. QuickTime was probably installed when the computer was purchased, a wrong click activates it and puts the icon in the system tray. If you want it gone, I will remove it (take it off all my computers also, along with RealPlayer). You also have another resource waster here:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <<< this one is an aol install that is usually bundled with other aol junk and at the very least is a resource waster. I will remove it also, and you should pass over the instruction if you do not want that stuff removed. I want to mention that your Java is out of date, you should open Java in the Control Panel, locate and update.

Before we start, you are running HJT from a .zip file in a Temporary Directory, backups for safety will get deleted. You should have received this warning: http://russelltexas....nsafefolder.gif I prefer you run from here: C:\HJT\HijackThis.exe. If you need additional instructions use these:
http://russelltexas....tehjtfolder.htm Since we will be using HJT in this fix, make sure this is done before you proceed.

1) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

4) Open your Contol Panel then Add Remove Programs. Locate and uninstall these items:
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\WinFixer_2005\uwfx5.exe

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.c...,139415,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /scan
(unless you use Alexa toolbar, remove the next two resource wasters)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab
(if you don't know the next one is safe, remove it)
O16 - DPF: {B42FA82A-B13A-483D-8F78-8D4F8FA411F1} (ChengDu FlyDragon vision WebView) - http://65.97.145.37/long.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\QuickTime\ >>> folder

C:\Program Files\Viewpoint\ >>> folder

C:\Program Files\SurfAccuracy\ >>> folder

C:\Program Files\WinFixer_2005\ >>> folder <<<NASTY

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

7) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have. They may be more to do.

8) When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
http://service1.syma...src=sec_doc_nam

***you may put Weatherbug back once you are clean if you wish, just make sure it is version 6.0 or higher***

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 trucker52

trucker52

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 14 November 2005 - 12:40 PM

here is the new log. Hope I did everything right.
Your instructions were easy to follow.
Thanks


Logfile of HijackThis v1.99.1
Scan saved at 11:38:09 AM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Doug Hafeman\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Edited by trucker52, 14 November 2005 - 12:41 PM.


#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 14 November 2005 - 01:53 PM

Hi Diann, You have not followed these directions :(

Before we start, you are running HJT from a .zip file in a Temporary Directory, backups for safety will get deleted. You should have received this warning: http://russelltexas....nsafefolder.gif I prefer you run from here: C:\HJT\HijackThis.exe. If you need additional instructions use these:
http://russelltexas....tehjtfolder.htm Since we will be using HJT in this fix, make sure this is done before you proceed.

My request as you see was make sure this is done before you proceed. If we need backups we may well not have them, please follow the directions to do that now and then post a new HJT log reflecting the changes for safety. You do have more to do and I will post the next instruction at that point.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 trucker52

trucker52

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 15 November 2005 - 04:16 PM

I did do as you asked but when I click the hijackit it kept going into the zip file. I hope I copied it right into the HJT file.

Logfile of HijackThis v1.99.1
Scan saved at 3:15:19 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 15 November 2005 - 04:40 PM

OK Diann, this is perfect: :) C:\HJT\HijackThis.exe and it looks like there is no other version. You can follow the path here: C:\Documents and Settings\Doug Hafeman\Local Settings\Temp\ <<< to that Temp folder highlited in red and delete everything in the folder. If you have other users do the same thing with them.

Logfile of HijackThis v1.99.1 Scan saved at 3:15:19 PM, on 11/15/2005

Take a look in Add Remove programs for this item: C:\Program Files\SurfAccuracy\ if it is there uninstall it.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
SurfAccuracy adware
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab
ISTbar Websearch
Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\SurfAccuracy\ <<< folder

Empty the recycle bin and restart the computer. I need some feedback now on how you are running. Good job following these complex directions. I would like one more HJT log and a look at your uninstall programs.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks...Phil :wavey:

Edited by pskelley, 15 November 2005 - 04:40 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 trucker52

trucker52

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 15 November 2005 - 10:39 PM

Here we go again. I never did find the C:\Program Files\SurfAccuracy\ <<< folder.
It seems like his computer freezes up alot.
thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:38:04 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE




3D Groove Playback Engine
AccessDirect
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5
BCM V.92 56K Modem
Broadcom Advanced Control Suite
CCleaner (remove only)
ContextPlus
Dell Digital Jukebox Driver
Dell Solution Center
Dell Wireless WLAN Utility
DirectX 9 Hotfix - KB839643
Drivers Daily Log
DVDSentry
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
ewido security suite
HijackThis 1.99.1
HP Memories Disc
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 5
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Streets and Trips 2005
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (1.0.7)
MSN Music Assistant
NVIDIA Windows 2000/XP Display Drivers
Outlook Express Q823353
Power Scan
PowerDVD
QuickSet
RealPlayer Basic
Riding Star
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spell Checker For OE 2.1
Spybot - Search & Destroy 1.3
Synaptics Pointing Device Driver
Trend Micro PC-cillin Internet Security 2005
Update for Windows XP (KB898461)
WeatherBug
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB889293
WordPerfect Office 11

#8 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 16 November 2005 - 08:17 AM

Hello Diann, you said:

It seems like his computer freezes up alot

I want you to understand there are many, many reason for this. Malware in excess can cause it and that is what we are removing, but it can also be caused by lack of maintenance, some programs that don't run well with the system, need to update drivers, excessive clutter on the computer, and here are 1,650,000 other reasons according to Google:
http://www.google.co...G=Google Search Let's finish our clean up and I may have some suggestion once we are sure the malware is gone.

It seems you have not provided me with the ewido scan results I requested in item #7 of the first set of instructions. It is important that I see what was removed by Ewido. If you installed ewido in the default position then go to C:\Program Files\ and locate "ewido" open that folder then open the security suite folder. Find a folder named "Reports" and open it. There should only be one Scan report there (unless you ran ewido more than once), open that txt file and copy/paste the information here the same way you do a HJT log. Thanks.

Logfile of HijackThis v1.99.1 Scan saved at 9:38:04 PM, on 11/15/2005

Your log is clean, a few programs are running you may not need to start each time, once I have reviewed the ewido scan report I will comment on them.
For starters I suggest you go here: http://www.microsoft..._october08.mspx
http://www.microsoft...kd_tro_hgle.asp

Uninstall list: I am looking for bad stuff, but you also should look at this list with your husband. Unknown programs should be investigated and gotten rid of if not needed and any programs that are no longer used should be uninstalled also. Here is what I see:

Drivers Daily Log <<< this may give you a clue if drivers need updating? It only takes one to cause an issue.

Spybot - Search & Destroy 1.3?? Out of date, these instruction should have fixed that??
2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php

WeatherBug <<< unless this is version 6.0 or above it is adware and should be uninstalled.

ewido security suite: Once the trial is over you can still use the update and scan features, but make sure the program is NOT running. Uncheck it in MSConfig if it is and disable or set the service to manual: http://is-it-true.or...s/utips76.shtml

That's all I see, but you may see other stuff that is not longer needed.

After you have completed all maintenance proceedures, I suggest you go here: http://www.pcpitstop.com/ and run a free diagnostic on the computer. You can get help understanding the results here: http://pcpitstop.inv...php?showforum=6

Post that ewido scan report and your comments or questions.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#9 trucker52

trucker52

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 17 November 2005 - 02:16 PM

ewido security suite - Scan report --------------------------------------------------------- + Created on: 11:03:51 AM, 11/14/2005 + Report-Checksum: 54586362 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\.Owner -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKU\S-1-5-21-1656385671-685365194-1940223835-1007\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup HKU\S-1-5-21-1656385671-685365194-1940223835-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup [2212] C:\Program Files\SurfAccuracy\SAcc.exe -> Spyware.SurfAccuracy : Cleaned with backup :mozilla.7:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup :mozilla.9:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup :mozilla.10:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup :mozilla.13:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.23:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup :mozilla.24:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup :mozilla.32:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.51:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup :mozilla.52:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup :mozilla.57:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.58:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.59:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.60:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.65:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.66:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.67:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.68:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.69:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.70:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.71:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.76:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.77:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.79:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.80:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.81:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.82:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.83:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.84:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.85:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.86:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.88:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.89:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.90:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.91:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup C:\Program Files\SurfAccuracy -> Adware.SurfAccuracy : Cleaned with backup C:\Program Files\SurfAccuracy\License.lnk -> Adware.SurfAccuracy : Cleaned with backup C:\Program Files\SurfAccuracy\SAcc.cfg -> Adware.SurfAccuracy : Cleaned with backup C:\Program Files\SurfAccuracy\SAcc.exe -> Adware.SurfAccuracy : Cleaned with backup C:\Program Files\SurfAccuracy\SAccU.exe -> Adware.SurfAccuracy : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP145\A0039765.exe -> TrojanDownloader.Zlob.aq : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042124.dll -> Adware.PSGuard : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042125.dll -> Adware.PSGuard : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042126.dll -> Adware.PSGuard : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042127.exe -> Adware.PSGuard : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042130.exe -> Trojan.Small.ev : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042131.exe -> TrojanDownloader.Small.vu : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042133.dll -> TrojanDownloader.Agent.yb : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042166.dll -> Trojan.Promoter.c : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042167.exe -> TrojanDownloader.Agent.uz : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0042169.exe -> TrojanDownloader.Zlob.aw : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP164\A0045882.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP164\A0045883.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP164\A0045884.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP164\A0045885.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP164\A0045887.exe -> Spyware.PowerScan : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP165\A0045919.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP165\A0045920.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP165\A0045921.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP165\A0045922.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP165\A0045924.exe -> Spyware.PowerScan : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP166\A0045947.dll -> TrojanDownloader.Dyfuca : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP166\A0045948.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP166\A0045950.exe -> Spyware.PowerScan : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP166\A0045951.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP166\A0045952.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP167\A0048959.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP167\A0048960.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP169\A0049067.dll -> Spyware.SideFind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP169\A0049068.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP173\A0055064.dll -> TrojanDownloader.IstBar.lv : Cleaned with backup C:\WINDOWS\SYSTEM32\ld6C6F.tmp -> TrojanDownloader.Zlob.az : Cleaned with backup ::Report End

#10 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 17 November 2005 - 04:16 PM

As you can see ewido removed a lot of junk from this computer. You should review the report to see where the junk if hiding. This information will help with the cookies:
http://www.mozilla.o..._priv_help.html
http://privacy.getne...tools/firefox1/

Use this information to clean your System Restore files.
http://service1.syma...src=sec_doc_nam

After your System Restore files are clean, update ewido and run it again, post the results along with a new HJT log. Is there more than one user on this computer? If there is I need to see a log for each user.

Make sure you posted your diagnostic report at PCPitStop for diagnosis help. Please post a link to that topic so I can see what they say. You can send that to me here:
http://pcpitstop.inv...?showuser=24733 via a PM.

Thanks
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

    Advertisements

Register to Remove


#11 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 27 November 2005 - 05:55 AM

No response from this member since 11/17 :( I will close this post in 24 hours.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#12 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 29 November 2005 - 12:52 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 30 November 2005 - 05:23 PM

This topic has been reopened by request of the starter of this topic.

Hello,
I would like to reopen this thread. My husband was out of town then I ended up in the hospital over Thanksgivings and couldn't get back to this.


Edited by LDTate, 30 November 2005 - 05:25 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 trucker52

trucker52

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 30 November 2005 - 07:31 PM

Thank you for reopening this thread. Things have been kinda crazy the last few weeks here.
Here is the logfile and the ewido file. When I clicked on your link to clean the system restore files all I see it does is disable and enable the files but I did it and restarted the computer. On the PCPitStop I ran the test and it says everything is fine on the computer.
http://www.pcpitstop...XZF0WFBE7CSMA3R
http://pcpitstop.inv...howtopic=105143
Only one user on this computer.



Logfile of HijackThis v1.99.1
Scan saved at 5:36:51 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DOUGHA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Reader Spe
ed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:30:18 PM, 11/30/2005
+ Report-Checksum: DC8B018D

+ Scan result:

:mozilla.10:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Doug Hafeman\Application Data\Mozilla\Firefox\Profiles\3yzubtbi.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup


::Report End

#15 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 30 November 2005 - 07:48 PM

Hello Diann, when we left off you had your HJT properly place here: C:\HJT\HijackThis.exe on this date: Nov 15 2005, 05:16 PM
The log you just posted has it here again:
C:\DOCUME~1\DOUGHA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe We worked very hard to get that log in a safe place. Please return HJT to where it was and delete any other version you have onboard. Post a new HJT log showing this when you have it done. It will be morning EST before I will have time to look at this.

Thanks...pskelley
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users