Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92315 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

cant get rid of oinadserver


  • This topic is locked This topic is locked
16 replies to this topic

#1 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 November 2005 - 03:17 PM

I picked this junk up at a photographers forum...near as I can tell. This is the worst infection of adware I've ever experienced. I turned it off for now (temp solution) by adding loopback pointers for most of the junk being accessed, like www.oinadserver.com ... But I've run spybot, adaware numerous times, registry repair, (surfsidekick was killing me yesterday). But I've still got this ad carp** coming up every time I go to a web page.

Thanks in advance for any help you can give me.

In the log... the 017 stuff is work related.

Here's my Hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 1:51:58 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Progra~1\NavNT\vptray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\dla\tfswctrl.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\System Files\System.exe
C:\Program Files\paar\lnat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apache2\Apache2\bin\ApacheMonitor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\w?wexec.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\winnt\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} -

C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CC5E7FC9-EA5C-C7A8-2EE6-B19EFE675D91} -

C:\winnt\system32\hpj.dll
O2 - BHO: (no name) - {D222A47C-1DCE-0446-76E4-17729E6E7595} -

C:\winnt\tvozlvab.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2F9B76E6-BDD6-13B1-6A36-8062DB64F2F3} -

C:\winnt\tvozlvab.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP

Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate

Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate

Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator

6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard

Gold\agquickp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [dla] C:\winnt\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pipoki.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo

Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe"

/auto:TivoServer /registry /service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe

-quiet
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Eacs] "C:\Program Files\paar\lnat.exe" -vt yazr
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk =

C:\Apache2\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} -

http://www.pacimedia...ll/pcs_0002.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{3689C654-D64F-410F-99EA-08FBABDB2336}:

NameServer = 192.168.1.77,24.53.86.14,24.53.86.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqc

orp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.

dtv.cxo.dec.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqc

orp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.

dtv.cxo.dec.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqc

orp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.

dtv.cxo.dec.com
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. -

C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program

Files\Common Files\ActivCard\accoca.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache1\Apache\Apache.exe"

--ntservice (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Apache2\Apache2\bin\Apache.exe"

-k runservice (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner -

C:\winnt\cGF0\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation -

C:\Progra~1\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON

CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. -

C:\WINNT\system32\pctspk.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point

Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point

Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: TabletService - Wacom Technology, Corp. -

C:\winnt\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program

Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

    Advertisements

Register to Remove


#2 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 23 November 2005 - 03:40 PM

Hello and welcome to the forums. Sorry for the delay in responding, but we have been pretty busy here lately. Since your log might have changed since your last posting, I would like to see a new log. If you could please post a new log, I will be glad to review it. Please turn off WordWrap in Notepad before you copy your log.

#3 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 24 November 2005 - 08:59 AM

Thanks! I turned off word wrap in Notebook before I cut and paste, but it looks like it wraps it in the reply window, too. ?

Logfile of HijackThis v1.99.1
Scan saved at 7:43:28 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Progra~1\NavNT\vptray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\dla\tfswctrl.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\System Files\System.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apache2\Apache2\bin\ApacheMonitor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\w?wexec.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINNT\notepad.exe
C:\WINNT\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\paar\lnat.exe
C:\WINNT\notepad.exe
C:\WINNT\system32\mstsc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\winnt\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CC5E7FC9-EA5C-C7A8-2EE6-B19EFE675D91} - C:\winnt\system32\hpj.dll
O2 - BHO: (no name) - {D222A47C-1DCE-0446-76E4-17729E6E7595} - C:\winnt\tvozlvab.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2F9B76E6-BDD6-13B1-6A36-8062DB64F2F3} - C:\winnt\tvozlvab.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\winnt\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pipoki.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3689C654-D64F-410F-99EA-08FBABDB2336}: NameServer = 192.168.1.77,24.53.86.14,24.53.86.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache1\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Apache2\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\winnt\cGF0\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\winnt\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVoShared\Beacon\TiVoBeacon.exe

#4 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 24 November 2005 - 11:39 AM

Please download the trial version of Ewido Security Suite here. Install it, and update the definitions to the newest files.

Next, reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see this site.

Run the complete Ewido scan and allow it fix what it finds. Please post the log from Ewido for me to review.

#5 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 25 November 2005 - 01:37 PM

I did what you said yesterday in between making T. Day Dinner for my kids! :)

Anyway, here's the latest ewito report.

I had to turn off yahoo toolbar to get to this site!

And... would you mind telling me what that

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

in the hijackthis log is about?

Thanks very much for your help.

-----------------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:24:27 PM, 11/25/2005
+ Report-Checksum: 10932AD1

+ Scan result:

C:\Documents and Settings\soehl\Cookies\soehl@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\soehl\Cookies\soehl@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\soehl\Local Settings\Temporary Internet Files\Content.IE5\XLM42EX5\!update-2895[1].0000 -> Spyware.MediaTickets : Cleaned with backup


::Report End

#6 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 28 November 2005 - 10:33 AM

Did you do a complete system scan? The O15 entry indicates a site that you trust to run at a lower level of security than other sites. Depending on your security settings, it will allow sites to run things that might normally be blocked by default.

#7 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 28 November 2005 - 03:41 PM

I guess what I meant was more: "What is this awbeta* site about". I got brave and went to it. It's a site that has this "mirar" sw that it's hawking. Which as I remember, was what hijacked my browser in the early phases of this infestation. I used hijack this to remove it. I seem to be stable right now.... so I guess I'll call this one closed. I have now heightened my level of paranoia! Thanks for your help. Pat

#8 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 28 November 2005 - 03:48 PM

Oh, and yes, I did a complete system scan.

#9 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 29 November 2005 - 09:43 AM

Let's not call it quite yet. Can you post a new HJT log?

#10 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 29 November 2005 - 09:53 AM

Ok. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 8:50:57 AM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\winnt\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Progra~1\NavNT\vptray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\winnt\system32\dla\tfswctrl.exe
C:\Progra~1\NavNT\defwatch.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apache2\Apache2\bin\ApacheMonitor.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\w?wexec.exe
C:\winnt\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\winnt\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {CC5E7FC9-EA5C-C7A8-2EE6-B19EFE675D91} - C:\winnt\system32\hpj.dll
O2 - BHO: (no name) - {D222A47C-1DCE-0446-76E4-17729E6E7595} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2F9B76E6-BDD6-13B1-6A36-8062DB64F2F3} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\winnt\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\winnt\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3689C654-D64F-410F-99EA-08FBABDB2336}: NameServer = 192.168.1.77,24.53.86.14,24.53.86.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ckpNotify - C:\winnt\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache1\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Apache2\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\winnt\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

    Advertisements

Register to Remove


#11 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 29 November 2005 - 10:04 AM

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can re-enable TeaTimer once your system is clean.

Please run HijackThis and click "Scan." Place checks next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {CC5E7FC9-EA5C-C7A8-2EE6-B19EFE675D91} - C:\winnt\system32\hpj.dll
O2 - BHO: (no name) - {D222A47C-1DCE-0446-76E4-17729E6E7595} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2F9B76E6-BDD6-13B1-6A36-8062DB64F2F3} - (no file)
O18 - Filter: text/html - (no CLSID) - (no file)


Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Delete the following files and folders (if found):
C:\winnt\system32\hpj.dll <--This file.

Reboot your computer and post a new HJT log.

#12 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 29 November 2005 - 11:19 AM

Ok... here you go!

Logfile of HijackThis v1.99.1
Scan saved at 10:17:09 AM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\winnt\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Progra~1\NavNT\vptray.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\winnt\system32\dla\tfswctrl.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Apache2\Apache2\bin\Apache.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Apache2\Apache2\bin\ApacheMonitor.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\winnt\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\winnt\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\winnt\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\winnt\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\winnt\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3689C654-D64F-410F-99EA-08FBABDB2336}: NameServer = 192.168.1.77,24.53.86.14,24.53.86.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = w2k.dtv.cxo.dec.com,crmprod.w2k.dtv.cxo.dec.com,dtv.cxo.dec.com,americas.cpqcorp.net,cxo.cpqcorp.net,dtv_cxo3.pcdns.dtv.cxo.dec.com,tacacs.dtv_cxo3.pcdns.dtv.cxo.dec.com
O20 - Winlogon Notify: ckpNotify - C:\winnt\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache1\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Apache2\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\winnt\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

#13 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 29 November 2005 - 08:16 PM

Ok, that looks fine. How are things running?

#14 pat nolan

pat nolan

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 30 November 2005 - 07:32 AM

It's looking pretty good right now. I think we can close this. Thanks very much! I was beginning to believe I was going to have to re-install Windoze. Take care, Pat

#15 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 30 November 2005 - 09:47 AM

Glad to hear it. Please re-enable TeaTimer (let me know if you need help with that).

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. :P
  • On a regular basis, please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer.
  • In order to protect yourself against spyware, you should consider installing and running the following free programs:
    • Ad-Aware SE. A tutorial on using Ad-Aware to remove spyware from your computer may be found here. You have this installed currently. Please keep it updated and run it on a regular basis.
    • Spybot-Search & Destroy. A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features. You have this installed currently. Please keep it updated and run it on a regular basis.
    • SpywareBlaster. A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
    • SpywareGuard. A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.
    Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here.
  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.
  • Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Sygate, or
    Outpost
    A tutorial on understanding and using firewalls may be found here.
Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :D

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users