Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Thank God I found you! HJT Log help needed!


  • This topic is locked This topic is locked
6 replies to this topic

#1 KennyB

KennyB

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 04 December 2005 - 12:38 PM

I have been fighting the "Battle Agaist Pop Up's" for weeks now.........Have done everything I could find to no avail. Kept seeing HijackThis mentioned and logs posted and finally have arrived here! YAY! I will post my log file below and thank you in advance for any advice to solve this problem--I have ran Panda/Adaware SE/Spybot S & D and they find things (mostly cookies) but pop ups keep coming--esp Winfixer and Cassava---I am almost ready to reformat!


Logfile of HijackThis v1.99.1
Scan saved at 12:24:22 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Panda_cleaner_194327] C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavdr.exe 194327
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom &Out - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...iliate=MEDIAGEN
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 09 December 2005 - 01:46 PM

Hello and welcome to TomCoyote forum. Please follow these directions. SpybotSD TeaTimer will block the fix, use these instructions to turn it of until you are done: http://russelltexas....re/teatimer.htm

It is important that you download the Spy Sweeper 4.5 - Free Trial at the bottom of this page:
http://www.webroot.c...er/latestv.html Now follow these directions.

Download the free trial version of Spy Sweeper
Note: On that page, in the Spy Sweeper section, click the link for "Free Trial", NOT the link for "Free Spyware Scan".
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer <<< very important


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
(may be gone)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log at the SpySweeper log in this same thread along with any feedback you have.

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 KennyB

KennyB

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 09 December 2005 - 08:33 PM

Amazing how easy you make this look! Here are my updated logs for your review. I will let you know if the popups continue.

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 8:28:00 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: hp psc 1000 series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom &Out - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...iliate=MEDIAGEN
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe


SpySweeper Log

********
6:24 PM: | Start of Session, Friday, December 09, 2005 |
6:24 PM: Spy Sweeper started
6:24 PM: Sweep initiated using definitions version 582
6:24 PM: Starting Memory Sweep
6:33 PM: Memory Sweep Complete, Elapsed Time: 00:09:10
6:33 PM: Starting Registry Sweep
6:36 PM: Found Adware: quicklink search toolbar
6:36 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
6:36 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
6:36 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
6:36 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
6:36 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
6:36 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
6:36 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
6:36 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
6:36 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
6:36 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
6:36 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
6:36 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
6:36 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
6:36 PM: Found Adware: instant access
6:36 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
6:36 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
6:36 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
6:36 PM: Found Adware: coolwebsearch (cws)
6:36 PM: HKU\WRSS_Profile_S-1-5-21-1343024091-515967899-839522115-1006\software\microsoft\windows\currentversion\run\ || quicktime task (ID = 112405)
6:37 PM: Registry Sweep Complete, Elapsed Time:00:04:11
6:37 PM: Starting Cookie Sweep
6:37 PM: Found Spy Cookie: atwola cookie
6:37 PM: kids@atwola[1].txt (ID = 2255)
6:37 PM: Found Spy Cookie: go.com cookie
6:37 PM: big daddy@abc.go[1].txt (ID = 2729)
6:37 PM: big daddy@abcnews.go[1].txt (ID = 2729)
6:37 PM: Found Spy Cookie: yieldmanager cookie
6:37 PM: big daddy@ad.yieldmanager[1].txt (ID = 3751)
6:37 PM: Found Spy Cookie: adecn cookie
6:37 PM: big daddy@adecn[1].txt (ID = 2063)
6:37 PM: Found Spy Cookie: adknowledge cookie
6:37 PM: big daddy@adknowledge[2].txt (ID = 2072)
6:37 PM: Found Spy Cookie: adprofile cookie
6:37 PM: big daddy@adprofile[2].txt (ID = 2084)
6:37 PM: Found Spy Cookie: cc214142 cookie
6:37 PM: big daddy@ads.cc214142[1].txt (ID = 2367)
6:37 PM: big daddy@ar.atwola[2].txt (ID = 2256)
6:37 PM: big daddy@atwola[1].txt (ID = 2255)
6:37 PM: Found Spy Cookie: burstnet cookie
6:37 PM: big daddy@burstnet[2].txt (ID = 2336)
6:37 PM: Found Spy Cookie: exitexchange cookie
6:37 PM: big daddy@exitexchange[1].txt (ID = 2633)
6:37 PM: big daddy@go[2].txt (ID = 2728)
6:37 PM: Found Spy Cookie: clickandtrack cookie
6:37 PM: big daddy@hits.clickandtrack[2].txt (ID = 2397)
6:37 PM: Found Spy Cookie: metareward.com cookie
6:37 PM: big daddy@metareward[2].txt (ID = 2990)
6:37 PM: Found Spy Cookie: nextag cookie
6:37 PM: big daddy@nextag[2].txt (ID = 5014)
6:37 PM: Found Spy Cookie: pricegrabber cookie
6:37 PM: big daddy@pricegrabber[2].txt (ID = 3185)
6:37 PM: big daddy@rsi.abc.go[1].txt (ID = 2729)
6:37 PM: big daddy@rsi.abcnews.go[1].txt (ID = 2729)
6:37 PM: Found Spy Cookie: tvguide cookie
6:37 PM: big daddy@sdc.tvguide[1].txt (ID = 3600)
6:37 PM: big daddy@tvguide[1].txt (ID = 3599)
6:37 PM: Found Spy Cookie: 888 cookie
6:37 PM: big daddy@www.888[1].txt (ID = 2020)
6:37 PM: Found Spy Cookie: burstbeacon cookie
6:37 PM: big daddy@www.burstbeacon[2].txt (ID = 2335)
6:37 PM: Found Spy Cookie: zedo cookie
6:37 PM: big daddy@zedo[2].txt (ID = 3762)
6:37 PM: Found Spy Cookie: 3 cookie
6:37 PM: ken@3[1].txt (ID = 1959)
6:37 PM: ken@888[2].txt (ID = 2019)
6:37 PM: Found Spy Cookie: websponsors cookie
6:37 PM: ken@a.websponsors[1].txt (ID = 3665)
6:37 PM: ken@abclocal.go[1].txt (ID = 2729)
6:37 PM: Found Spy Cookie: about cookie
6:37 PM: ken@about[2].txt (ID = 2037)
6:37 PM: Found Spy Cookie: reunion cookie
6:37 PM: ken@ad.reunion[1].txt (ID = 3256)
6:37 PM: ken@adecn[1].txt (ID = 2063)
6:37 PM: ken@adknowledge[1].txt (ID = 2072)
6:37 PM: Found Spy Cookie: hotbar cookie
6:37 PM: ken@adopt.hotbar[2].txt (ID = 4207)
6:37 PM: ken@adprofile[2].txt (ID = 2084)
6:37 PM: ken@ads.cc214142[1].txt (ID = 2367)
6:37 PM: Found Spy Cookie: pointroll cookie
6:37 PM: ken@ads.pointroll[1].txt (ID = 3148)
6:37 PM: ken@ar.atwola[1].txt (ID = 2256)
6:37 PM: Found Spy Cookie: falkag cookie
6:37 PM: ken@as1.falkag[2].txt (ID = 2650)
6:37 PM: Found Spy Cookie: askmen cookie
6:37 PM: ken@askmen[2].txt (ID = 2247)
6:37 PM: Found Spy Cookie: atlas dmt cookie
6:37 PM: ken@atdmt[2].txt (ID = 2253)
6:37 PM: ken@atwola[2].txt (ID = 2255)
6:37 PM: Found Spy Cookie: avres cookie
6:37 PM: ken@avres[1].txt (ID = 2261)
6:37 PM: ken@buenavistarecords.go[1].txt (ID = 2729)
6:37 PM: Found Spy Cookie: ru4 cookie
6:37 PM: ken@edge.ru4[1].txt (ID = 3269)
6:37 PM: ken@exitexchange[2].txt (ID = 2633)
6:37 PM: Found Spy Cookie: fastclick cookie
6:37 PM: ken@fastclick[2].txt (ID = 2651)
6:37 PM: Found Spy Cookie: gamespy cookie
6:37 PM: ken@gamespy[1].txt (ID = 2719)
6:37 PM: Found Spy Cookie: starware.com cookie
6:37 PM: ken@h.starware[1].txt (ID = 3442)
6:37 PM: ken@hits.clickandtrack[1].txt (ID = 2397)
6:37 PM: ken@hollywoodrecords.go[1].txt (ID = 2729)
6:37 PM: Found Spy Cookie: infospace cookie
6:37 PM: ken@infospace[2].txt (ID = 2865)
6:37 PM: ken@media.fastclick[2].txt (ID = 2652)
6:37 PM: Found Spy Cookie: mywebsearch cookie
6:37 PM: ken@mywebsearch[1].txt (ID = 3051)
6:37 PM: ken@nextag[2].txt (ID = 5014)
6:37 PM: Found Spy Cookie: partypoker cookie
6:37 PM: ken@partypoker[1].txt (ID = 3111)
6:37 PM: ken@pricegrabber[1].txt (ID = 3185)
6:37 PM: ken@primetimetv.about[1].txt (ID = 2038)
6:37 PM: Found Spy Cookie: questionmarket cookie
6:37 PM: ken@questionmarket[1].txt (ID = 3217)
6:37 PM: ken@reunion[2].txt (ID = 3255)
6:37 PM: ken@rsi.tvguide[1].txt (ID = 3600)
6:37 PM: ken@sdc.tvguide[1].txt (ID = 3600)
6:37 PM: ken@starware[2].txt (ID = 3441)
6:37 PM: Found Spy Cookie: dealtime cookie
6:37 PM: ken@stat.dealtime[2].txt (ID = 2506)
6:37 PM: Found Spy Cookie: trafficmp cookie
6:37 PM: ken@trafficmp[2].txt (ID = 3581)
6:37 PM: ken@tvguide[2].txt (ID = 3599)
6:37 PM: Found Spy Cookie: videodome cookie
6:37 PM: ken@videodome[1].txt (ID = 3638)
6:37 PM: Found Spy Cookie: ask cookie
6:37 PM: ken@web.ask[1].txt (ID = 2246)
6:37 PM: ken@www.ask[2].txt (ID = 2246)
6:37 PM: Found Spy Cookie: screensavers.com cookie
6:37 PM: ken@www.screensavers[2].txt (ID = 3298)
6:37 PM: ken@www.starware[1].txt (ID = 3442)
6:37 PM: Found Spy Cookie: adserver cookie
6:37 PM: ken@z1.adserver[2].txt (ID = 2142)
6:37 PM: ken@zedo[1].txt (ID = 3762)
6:37 PM: Cookie Sweep Complete, Elapsed Time: 00:00:12
6:37 PM: Starting File Sweep
6:38 PM: c:\program files\quicklinks (1 subtraces) (ID = -2147468660)
6:54 PM: Found Adware: apropos
6:54 PM: wingenerics.dll (ID = 50187)
7:19 PM: uninst.exe (ID = 73428)
7:19 PM: qlutility.exe (ID = 168232)
7:26 PM: File Sweep Complete, Elapsed Time: 00:48:53
7:26 PM: Full Sweep has completed. Elapsed time 01:02:00
7:26 PM: Traces Found: 173
7:39 PM: Removal process initiated
7:39 PM: Quarantining All Traces: apropos
7:39 PM: apropos is in use. It will be removed on reboot.
7:39 PM: wingenerics.dll is in use. It will be removed on reboot.
7:39 PM: Quarantining All Traces: coolwebsearch (cws)
7:39 PM: Quarantining All Traces: instant access
7:39 PM: Quarantining All Traces: quicklink search toolbar
7:39 PM: Quarantining All Traces: 3 cookie
7:39 PM: Quarantining All Traces: 888 cookie
7:39 PM: Quarantining All Traces: about cookie
7:39 PM: Quarantining All Traces: adecn cookie
7:39 PM: Quarantining All Traces: adknowledge cookie
7:39 PM: Quarantining All Traces: adprofile cookie
7:39 PM: Quarantining All Traces: adserver cookie
7:39 PM: Quarantining All Traces: ask cookie
7:39 PM: Quarantining All Traces: askmen cookie
7:39 PM: Quarantining All Traces: atlas dmt cookie
7:39 PM: Quarantining All Traces: atwola cookie
7:39 PM: Quarantining All Traces: avres cookie
7:39 PM: Quarantining All Traces: burstbeacon cookie
7:39 PM: Quarantining All Traces: burstnet cookie
7:39 PM: Quarantining All Traces: cc214142 cookie
7:40 PM: Quarantining All Traces: clickandtrack cookie
7:40 PM: Quarantining All Traces: dealtime cookie
7:40 PM: Quarantining All Traces: exitexchange cookie
7:40 PM: Quarantining All Traces: falkag cookie
7:40 PM: Quarantining All Traces: fastclick cookie
7:40 PM: Quarantining All Traces: gamespy cookie
7:40 PM: Quarantining All Traces: go.com cookie
7:40 PM: Quarantining All Traces: hotbar cookie
7:40 PM: Quarantining All Traces: infospace cookie
7:40 PM: Quarantining All Traces: metareward.com cookie
7:40 PM: Quarantining All Traces: mywebsearch cookie
7:40 PM: Quarantining All Traces: nextag cookie
7:40 PM: Quarantining All Traces: partypoker cookie
7:40 PM: Quarantining All Traces: pointroll cookie
7:40 PM: Quarantining All Traces: pricegrabber cookie
7:40 PM: Quarantining All Traces: questionmarket cookie
7:40 PM: Quarantining All Traces: reunion cookie
7:40 PM: Quarantining All Traces: ru4 cookie
7:40 PM: Quarantining All Traces: screensavers.com cookie
7:40 PM: Quarantining All Traces: starware.com cookie
7:40 PM: Quarantining All Traces: trafficmp cookie
7:40 PM: Quarantining All Traces: tvguide cookie
7:40 PM: Quarantining All Traces: videodome cookie
7:40 PM: Quarantining All Traces: websponsors cookie
7:40 PM: Quarantining All Traces: yieldmanager cookie
7:40 PM: Quarantining All Traces: zedo cookie
7:40 PM: Removal process completed. Elapsed time 00:00:57
7:51 PM: Processing Startup Alerts
7:51 PM: Allowed Startup entry: Yahoo! Pager
7:51 PM: Allowed Startup entry: Weather
7:52 PM: Processing Startup Alerts
7:52 PM: Removed Startup entry: msnmsgr
7:52 PM: Removed Startup entry: AIM
7:52 PM: Removed Startup entry: MSMSGS
********
6:20 PM: | Start of Session, Friday, December 09, 2005 |
6:20 PM: Spy Sweeper started
6:23 PM: Your spyware definitions have been updated.
6:24 PM: | End of Session, Friday, December 09, 2005 |

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 December 2005 - 02:41 AM

Hi Ken, Unfortunately it is not easy, folks give up many hours to work out what will remove this junk. Then the cockroaches who write the stuff come up with another way to get around us, all in the name of $$. Let's see how the HJT log looks first.

Logfile of HijackThis v1.99.1 Scan saved at 8:28:00 PM, on 12/9/2005
It seems Spysweeper was able to remove: O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll from your computer. This is the infection that was probably causing the popups. Something has failed in the HJT portion because some of the nasty aware is still there. We must remove it so we will try again. Understand this stuff is adware and does not belong on your computer. If you followed the instructions before then one of the programs you are running is blocking the fix. Make sure TeaTimer is totally turned off as in the insturctions I provided. The only other programs I see are ewido and Spysweeper. It is not hard to check, once you click on fix checked then run a new log, if the lines are still there, turn off ewido and do it again, if they are still there, then turn of Spysweeper. If you are checking and fixing them then something is blocking and those are the only ones I see. If you know of anything else that needs to be off, like something in Panda Titanium 2006 Antivirus + Antispyware, turn it off also.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
see this >>> http://castlecops.co...plist-9038.html

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Open ewido and update the scanner, run a complete system scan and delete anything ewido finds unless you know it is not bad. It is very important that you save the scan report. Then empty the recycle Bin and restart the computer.

Remember unless you purchased ewido, after the trial is over you need to turn it off, you can keep and update the scanner for as long as you like but there is no reason to waste resources having it running. SpySweeper also should be removed unless you purchase the software once the trial is over.

Post the ewido scan report and a new HJT log for a final review. All going well I will have some information to help you stay clean and safe and you will be good to go.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 KennyB

KennyB

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 10 December 2005 - 11:17 AM

I think we got it.........have a look

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:14:21 AM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom &Out - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...iliate=MEDIAGEN
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

ewido scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:54:08 AM, 12/10/2005
+ Report-Checksum: 42D2D4E8

+ Scan result:

HKU\S-1-5-21-1343024091-515967899-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\Big Daddy\Cookies\big daddy@trafic[1].txt -> Spyware.Cookie.Trafic : Cleaned with backup
C:\Documents and Settings\Big Daddy\Local Settings\Temporary Internet Files\Content.IE5\W5QJWTMN\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Ken\Cookies\ken@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup


::Report End

Let me know what you think!

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 December 2005 - 11:46 AM

OK Ken :) That's a clean log :thumbup: Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Don't forget, ewido and Spysweeper are both big resource users. Unless you own them, you will want to stop them from running and turn them off in Services. The ewido scanner has free updates for as long as you wish, just start it manually when you want a good scan. Use it to watch where the junk is hiding, perhaps this will help: http://www.mvps.org/...02/delcache.htm
http://www.mvps.org/...002/cookies.htm
http://www.microsoft...acy/config.mspx

A cleaning of the System Restore files in case any bad stuff is hiding there is a good thing to do:
http://service1.syma...src=sec_doc_nam

Safe surfing and Happy Holidays :wavey:

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 13 December 2005 - 11:03 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users