WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

slowdown and popups...any suggestions?

Started by evbo104 , Nov 28 2005 12:11 PM

This topic is locked

8 replies to this topic

#1 evbo104

New Member

New Member
4 posts

Posted 28 November 2005 - 12:11 PM

i am having alot of unusual slowdown and some popups. Started happening about a week ago when i got infested wih some spy ware removal virus. I got rid of that but i think i still have some infections. I have run all the usual tests, panda activescan, adaware, spybot... here is my hijackthis log. thanks alot!

Logfile of HijackThis v1.99.1
Scan saved at 1:11:04 PM, on 11/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ev\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [adobemgr] C:\WINDOWS\system32\adobemgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Advertisements

Register to Remove

#2 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 30 November 2005 - 08:45 PM

evbo104,

Welcome to the forum, it looks like you have a couple of Trojans installed on your system. I would advise you to use your computer only for accessing this site until we get you clean because the type of trojan you have is a magnet for attacting other infections as well as stealing personal information. :rant2:

DO THIS FIRST
Your HIJACKTHIS program is current, but it is very important that it resides in its own folder.
We will use Hijackthis (HJT) to make changes to your system and HJT will make backups of those changes,
If HJT is not in its own folder, those backups could be lost.

Easy to fix,
* just go to MY COMPUTER > YOUR C:\ DRIVE and create a new folder and name it HIJACKTHIS .
* Now scroll to where you have HJT currently, right click on the HJT icon and select CUT .
* Now open the new folder you just created and right click within that folder and select PASTE .
* Now HJT should reside in C:\HIJACKTHIS\HIJACKTHIS.EXE

Download the trial version of Spy Sweeper from Here
Note: On that page, in the Spy Sweeper section, click the link for "Free Trial", NOT the link for "Free Spyware Scan".
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Next, Proceed to this

SHOW HIDDEN FILES AND FOLDERS

* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK

* Don't forget to reverse this once your computer is clean

Reboot your computer into Safemode

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

While in Safemode, Look for and delete the files in RED

C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe

Reboot normally

Download and Install http://www.ccleaner.com/

* Click on Run Cleaner
* Run the Issues Scan < When it asks you to backup the Registry..Say Yes

Post the log from Spysweeper along with a new HJT log please.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#3 evbo104

New Member

New Member
4 posts

Posted 01 December 2005 - 06:14 PM

thanks for the response: here is the new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 7:13:53 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp30EE.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

and here is the log from spy sweeper:

********
5:43 PM: | Start of Session, Thursday, December 01, 2005 |
5:43 PM: Spy Sweeper started
5:43 PM: Sweep initiated using definitions version 576
5:43 PM: Starting Memory Sweep
5:47 PM: Memory Sweep Complete, Elapsed Time: 00:03:22
5:47 PM: Starting Registry Sweep
5:47 PM: Found Adware: popuper
5:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573)
5:47 PM: Found Adware: security2k hijacker
5:47 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
5:47 PM: Found Trojan Horse: trojan-downloader-zlob
5:47 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797370)
5:47 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
5:47 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || nvctrl.exe (ID = 813700)
5:47 PM: HKCR\nvideocodek.chl\ (2 subtraces) (ID = 820294)
5:47 PM: HKLM\software\classes\nvideocodek.chl\ (2 subtraces) (ID = 820324)
5:47 PM: Registry Sweep Complete, Elapsed Time:00:00:11
5:47 PM: Starting Cookie Sweep
5:47 PM: Found Spy Cookie: yieldmanager cookie
5:47 PM: ev@ad.yieldmanager[2].txt (ID = 3751)
5:47 PM: Found Spy Cookie: adecn cookie
5:47 PM: ev@adecn[2].txt (ID = 2063)
5:47 PM: Found Spy Cookie: specificclick.com cookie
5:47 PM: ev@adopt.specificclick[2].txt (ID = 3400)
5:47 PM: Found Spy Cookie: adrevolver cookie
5:47 PM: ev@adrevolver[1].txt (ID = 2088)
5:47 PM: ev@adrevolver[2].txt (ID = 2088)
5:47 PM: Found Spy Cookie: atwola cookie
5:47 PM: ev@ar.atwola[1].txt (ID = 2256)
5:47 PM: Found Spy Cookie: ask cookie
5:47 PM: ev@ask[1].txt (ID = 2245)
5:47 PM: ev@atwola[1].txt (ID = 2255)
5:47 PM: Found Spy Cookie: banner cookie
5:47 PM: ev@banner[1].txt (ID = 2276)
5:47 PM: Found Spy Cookie: casalemedia cookie
5:47 PM: ev@casalemedia[2].txt (ID = 2354)
5:47 PM: Found Spy Cookie: centrport net cookie
5:47 PM: ev@centrport[1].txt (ID = 2374)
5:47 PM: Found Spy Cookie: hypertracker.com cookie
5:47 PM: ev@hypertracker[1].txt (ID = 2817)
5:47 PM: Found Spy Cookie: statcounter cookie
5:47 PM: ev@statcounter[1].txt (ID = 3447)
5:47 PM: Found Spy Cookie: trafficmp cookie
5:47 PM: ev@trafficmp[1].txt (ID = 3581)
5:47 PM: Found Spy Cookie: zedo cookie
5:47 PM: ev@zedo[1].txt (ID = 3762)
5:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
5:47 PM: Starting File Sweep
5:59 PM: Warning: Unhandled Archive Type
6:01 PM: File Sweep Complete, Elapsed Time: 00:14:28
6:01 PM: Full Sweep has completed. Elapsed time 00:18:04
6:01 PM: Traces Found: 28
6:29 PM: Removal process initiated
6:29 PM: Quarantining All Traces: popuper
6:29 PM: Quarantining All Traces: security2k hijacker
6:29 PM: Quarantining All Traces: trojan-downloader-zlob
6:29 PM: Quarantining All Traces: adecn cookie
6:29 PM: Quarantining All Traces: adrevolver cookie
6:29 PM: Quarantining All Traces: ask cookie
6:29 PM: Quarantining All Traces: atwola cookie
6:29 PM: Quarantining All Traces: banner cookie
6:29 PM: Quarantining All Traces: casalemedia cookie
6:29 PM: Quarantining All Traces: centrport net cookie
6:29 PM: Quarantining All Traces: hypertracker.com cookie
6:29 PM: Quarantining All Traces: specificclick.com cookie
6:29 PM: Quarantining All Traces: statcounter cookie
6:29 PM: Quarantining All Traces: trafficmp cookie
6:29 PM: Quarantining All Traces: yieldmanager cookie
6:29 PM: Quarantining All Traces: zedo cookie
6:31 PM: Removal process completed. Elapsed time 00:01:52
********
5:42 PM: | Start of Session, Thursday, December 01, 2005 |
5:42 PM: Spy Sweeper started
5:43 PM: Your spyware definitions have been updated.
5:43 PM: | End of Session, Thursday, December 01, 2005 |

thanks a ton for your help!

#4 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 01 December 2005 - 07:10 PM

evbo104.

There may just be bits and pieces left over that we need to get rid of.

Open HJT Scan Only , close all open windows and your browser and put a checkmark in this entry and click on Fix Checked.

O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp30EE.tmp

Now do this..

Show Hidden Files and Folders

* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK

* Don't forget to reverse this once your computer is clean

Reboot your computer into Safemode

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

Look for and delete this entry in Red
C:\WINDOWS\system32\hp30EE.tmp

Reboot normally.

I would like you to download and install Ewido Security Suite. This will get anything we may have missed.

Please download ewido security suite it is a free version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Post the report into this thread along with a new HJT log

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#5 evbo104

New Member

New Member
4 posts

Posted 01 December 2005 - 10:56 PM

thanks for the quick response again! here is the newest hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:51 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

and here is the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:53:41 PM, 12/1/2005
+ Report-Checksum: 597A85FE

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Ev\Application Data\Mozilla\Firefox\Profiles\oww9wimz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\hjt\backups\backup-20051201-215752-514.dll -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\hp42A1.tmp -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\hpC569.tmp -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\mscornet.exe -> Downloader.Zlob.bl : Cleaned with backup

::Report End

#6 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 02 December 2005 - 06:34 AM

evbo104, Your log looks ok, FYI, even though Ewido is a trial, you can still keep it with limited functionallity, you will still be able to download updates and run the program when you need to. How is your computer running now ??? Post back and I have some tips and free programs for you to install to help keep you more secure. Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#7 evbo104

New Member

New Member
4 posts

Posted 02 December 2005 - 01:02 PM

it seems much better, but still a little less fast than it used to be after i reformatted a couple months ago...probably just because there is so much installed on it and running in the background...whats the easiest way to reduce that? thanks for all your help!

#8 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 02 December 2005 - 01:34 PM

evbo104,

Glad things are better.

Some of these tips will clean you up real well, be sure to follow the procedure for System Restore because everything you :thumbup:

cleaned off this system is backed up in that program and if you ever use it to revert your system to an earlier date, you will be infected all over again. :rant2:

If you install the WinPatrol Program, you can use it to stop programs that you don't want from loading at startup and that may help you a bit.

Also get in the habit of running the Disk Defragger, this will help organize your hard drive and may also help to speed things up.

Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.

* Download and Install CCleaner, Click on RUN TOOL, when you run the Issues Scan and it asks
you to back up the registry Say Yes.

Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.

To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

* Go to My Computer/ C: Drive/ Documents and Settings/ Local Settings/ Every User on this Computer
and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.

NOW RE-BOOT NORMALLY

* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.

Now Empty your Recycle Bin

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember

* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.

* Here are Free Anti-Virus Programs if you need one

AVG Free Edition
AntVir Personal Edition

* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.

* Spyware Blaster It will prevent most spyware from ever being installed.

* Spyware Guard It offers realtime protection from spyware installation attempts.

* Win Patrol This program will warn you when any changes are being made to your system and give you the option to deny the change.

* IE- Spyad IE-Spyad places over 4000 web sites and domain in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use Firefox for awhile, you will want to make it your default.

* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine, this has a good spam filter and is more secure than Outlook Express.

* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.

* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.

* Go to START/ CONTROL PANEL> PERFROMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.

Thanks for using TOM COYOTE I will keep this thread open for a few days in case you have any other questions.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#9 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 13 December 2005 - 06:37 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

Body Background

skin color theme