Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Log of what hijack this found

Started by shrek , Jan 08 2006 06:23 PM

  • Please log in to reply
10 replies to this topic

#1 shrek

shrek

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 08 January 2006 - 06:23 PM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go...bookaccessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {1BA6318B-0BB0-6A12-340D-78A3D510B1D6} - 321102.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WTFCTF] MSTCPDLL.exe
O4 - HKLM\..\Run: [media64] FLKPT.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [xxtoolbar] xxtoolbar.exe
O4 - HKCU\..\Run: [media64] abrek.exe
O4 - HKCU\..\Run: [systemdll] prgsys0984.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRxdm356YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6739A9C-040D-40B9-92D0-42CFFBAB8777}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{E934BA1E-F0BD-4310-BD14-E5606D933042}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Advertisements

Register to Remove

#2 FZWG

FZWG

    R.I.P My Friend

  • Validating
  • PipPipPipPip
  • 569 posts

Posted 14 January 2006 - 10:41 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.

As you suspect, there are malware entries showing on your log.

It is best to have the most current log possible, so please run HijackThis again (make sure all windows and browsers are closed), Scan, and post the log using: Add Reply.

However, please post the entire HijackThis log.

The header should look something like:

Logfile of HijackThis v1.99.1
Scan saved at 3:19:51 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

And there is also an area containing Running Processes.


I will be notified when you post a new log, and will be glad to assist you.
"June, 2007 Farethee Well"

#3 shrek

shrek

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 15 January 2006 - 11:23 AM

Thank you for any help you can give me. My PC just seems like it is running a little different than it used to and I have an onlline class that starts in a month so any help is greatly appreciated. If you need direct contact my email is (email address removed)



Logfile of HijackThis v1.99.1
Scan saved at 12:11:17 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\DAVIDN~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go...bookaccessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {1BA6318B-0BB0-6A12-340D-78A3D510B1D6} - 321102.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WTFCTF] MSTCPDLL.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [media64] FLKPT.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [systemdll] prgsys0984.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRxdm356YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6739A9C-040D-40B9-92D0-42CFFBAB8777}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{E934BA1E-F0BD-4310-BD14-E5606D933042}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Edited by FZWG, 15 January 2006 - 05:30 PM.

#4 FZWG

FZWG

    R.I.P My Friend

  • Validating
  • PipPipPipPip
  • 569 posts

Posted 15 January 2006 - 07:35 PM

Your log is showing the characteristic entries of the WareOut malware.
Please proceed as follows, but first, you may want to print out these instructions for reference, since you will have to restart the computer during the process.

Your log shows TeaTimer is running. It is a Registry watchdog within Spybot but it can interfere with the fixing of problems. Please disable as follows: open Spybot, select Mode>Advanced Mode>Tools>Resident, and uncheck Resident TeaTimer.

Close Spybot Search and Destroy.

Then, download FixWareOut from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to the Desktop and run the program.
Click Next, then Install
Make sure Run fixit is checked
Click: Finish

The program starts; follow the prompts.
When asked to reboot the computer, please do.
Your system may take longer than usual to load, and this is normal.

When the system reboots, follow the prompts once again.
After reboot, you may only see the Desktop without icons and no Taskbar. That is OK.

HijackThis launches.
Click: Scan
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - {1BA6318B-0BB0-6A12-340D-78A3D510B1D6} - 321102.dll (file missing)

O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)

O4 - HKLM\..\Run: [WTFCTF] MSTCPDLL.exe
O4 - HKLM\..\Run: [media64] FLKPT.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [systemdll] prgsys0984.exe

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6739A9C-040D-40B9-92D0-42CFFBAB8777}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{E934BA1E-F0BD-4310-BD14-E5606D933042}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{5AD71319-E748-470B-A0BE-66A93FDC038D}: NameServer = 85.255.116.119,85.255.112.195

Select: Fix Checked.

Close HijackThis, and click OK to proceed.

At the end of the procedure, you may need to restart the computer again.

Next, go to Start > Control Panel > Network Connections
Double-click: Network Connections
Right-click the Local Area Connection icon and select Properties
Select: Internet Protocol (TCP/IP) and click: Properties
In the Properties window, General tab, what is checked?

Next, go to Start > Run and copy and paste the following command:
ipconfig /flushdns
Click: OK

Please create a folder on the Desktop (Right click, select New > Folder)
Name it: Ewido
Download Ewido Anti-Malware:
http://www.ewido.net/en/download/
Press: Download Now
In the folder where EWIDO is located, double click the Ewido Setup file
Follow the prompts and reboot when done.
When the prompt with Additional Options appears, uncheck:
Install background guard
Install scan via context menu

Now, double click the ‘e’ on the Desktop, or, go to Start > All Programs > Ewido
When the program starts, do an online update for the latest signature files

Run Ewido.
Next, click on: Complete System Scan

The scan may find malware entries and request action to clean up. Agree.
However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None as the action for the time being.

Once the scan has completed, click: Save Report
Save the report to the EWIDO folder

When Ewido is done, reboot.

Run HijackThis once again, and Scan.

Finally, post the contents of:
The FixWareOut logfile located at: C:\fixwareout\report.txt
The Ewido report
A new HijackThis log (**See below!!)

**The current log shows you are running the program from here:
C:\DOCUME~1\DAVIDN~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

HijackThis makes backups of what is fixed, and it is best to have the program in its own folder to keep the backups securely. Create a folder like: C:\Program Files\HijackThis, or, if you want to keep it on the Desktop, right click an empty area, select New>Folder, name the folder HijackThis, and place the HijackThis.exe file in it.

Then, run the program from there, and post the log using: Add Reply
"June, 2007 Farethee Well"

#5 shrek

shrek

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 22 January 2006 - 02:49 PM

In the General Tab under Internet Protocol (TCP/IP) These two boxes were checked:
1- obtain IP address automatically
2- obtain DNS server address automatically

Here are the logs of the scans I ran. For the Ewido file I ran it twice on accident and wrote over the original report. There was a few things that it fixed and when it was run the second time nothing was found.

Fixwareout File

Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSVYF.EXE
C:\WINDOWS\SYSTEM32\DMHUW.EXE
C:\WINDOWS\SYSTEM32\DMYPN.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool


Here is the ewido report.

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:35:26 PM, 1/22/2006
+ Report-Checksum: B5EFEA17

+ Scan result:

No infected objects found.


::Report End

Here is the highjackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:47:39 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Nawrot\Desktop\Highjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go...bookaccessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [dmyjn.exe] C:\WINDOWS\system32\dmyjn.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRxdm356YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



Once again thank you for any help you can give me!

#6 FZWG

FZWG

    R.I.P My Friend

  • Validating
  • PipPipPipPip
  • 569 posts

Posted 22 January 2006 - 09:50 PM

Good work!! Much better.

Please download Killbox:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Do not run it yet.

Run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [dmyjn.exe] C:\WINDOWS\system32\dmyjn.exe

Select: Fix Checked

Reboot to Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Programs > Accessories > Notepad):

C:\WINDOWS\SYSTEM32\CSVYF.EXE
C:\WINDOWS\SYSTEM32\DMHUW.EXE
C:\WINDOWS\SYSTEM32\DMYPN.EXE
C:\WINDOWS\system32\dmyjn.exe

Run KillBox
At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl + A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Reboot to normal Windows.

Run a Panda online ActiveScan
http://www.pandasoft.../activescan.htm

On the top right go to: Free Use ActiveScan
Select: Free online virus scan

In the prompt that appears: Panda ActiveScan, select the green button: Check Now! At no cost.

Follow the prompts, provide the required info, select: Scan Now!
Allow the ActiveX download.

Select a device to scan: Local Disks

Next, select: See Report
Then select, Save Report and save to a location where you can find the report.

Please provide the Panda ActiveScan report and a new HijackThis log in your response.
"June, 2007 Farethee Well"

#7 shrek

shrek

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 25 January 2006 - 06:14 PM

Hello again,

Once again I thank you very much for helping me out.

When I tried pasting the 4 files into the clipboard it seemed like it was only taking the first file so I put a coma and pasted the other three after that one. I hope it worked out the right way.

Here are the scan logs.
Activescan


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@ad.yieldmanager[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@belnk[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@casalemedia[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@dist.belnk[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@maxserving[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@realmedia[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@statcounter[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@tribalfusion[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@xxxcounter[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\David Nawrot\Cookies\david nawrot@zedo[1].txt
Virus:Trj/DNSChanger.ED Disinfected C:\Documents and Settings\David Nawrot\Local Settings\Temp\Temporary Internet Files\Content.IE5\6BSRUHK1\test[1].exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Guest\Cookies\guest@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Guest\Cookies\guest@888[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\guest@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Guest\Cookies\guest@cassava[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Guest\Cookies\guest@cliks[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@dist.belnk[2].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Guest\Cookies\guest@master.mx-targeting[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Guest\Cookies\guest@offeroptimizer[2].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Guest\Cookies\guest@servlet[2].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\KDM7G1QB\channels_02[1].gif
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\SHREK\Cookies\shrek@ad.yieldmanager[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\SHREK\Cookies\shrek@realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\SHREK\Cookies\shrek@trafficmp[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/2o7.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40E.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40F.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq410.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq411.tmp
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat



Hijackthis log 3

Logfile of HijackThis v1.99.1
Scan saved at 7:07:59 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Nawrot\Desktop\Highjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go...bookaccessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRxdm356YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#8 FZWG

FZWG

    R.I.P My Friend

  • Validating
  • PipPipPipPip
  • 569 posts

Posted 25 January 2006 - 09:30 PM

Log looks OK, but we better be safe than sorry…

Please run KillBox once again.
At the main screen of KillBox, select the option: Delete on Reboot
Then, in the Full Path of File to Delete box copy/paste the following entry:

C:\WINDOWS\SYSTEM32\CSVYF.EXE

Press the button with a red circle and a white X (Delete File button)
KillBox will alert you: All listed files will be deleted on next Reboot
Click Yes
Next prompt will be: Files will be removed on reboot. Do you want to reboot now?
Select No

Do the same for the following (one at a time):
C:\WINDOWS\SYSTEM32\DMHUW.EXE
C:\WINDOWS\SYSTEM32\DMYPN.EXE
C:\WINDOWS\system32\dmyjn.exe
C:\WINDOWS\kwv2.dat

When done with the last file, at the prompt: Do you want to reboot now?
Select: YES


Now, download CleanUp40.exe to the Desktop: (about 3/4 down the page: Primary download site (setup program): CleanUp40.exe)
http://www.stevengou...p/download.html

Double-click the Cleanup! program (downloaded earlier) icon to run the program
-Click: Options (right side)
-In the Quick SetUp area, move the arrow to: Custom CleanUp!
-Check the following:
--Delete Cookies
--Empty Recycle Bin
--Delete Prefetch files
--Scan local drives for temporary files
--Cleanup! All Users
Click: OK
Click the CleanUp button and let the program run.
Close the program when done.


There is a Yahoo! Anti-Spy feature in the Yahoo! Toolbar.

If the system is working properly, go to C:\Program Files\Yahoo!\YPSR\Quarantine, and remove the files in Quarantine.

Reboot the computer.

Run a Panda online ActiveScan one more time, and post its results.
http://www.pandasoft.../activescan.htm
"June, 2007 Farethee Well"

#9 shrek

shrek

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 27 January 2006 - 03:22 PM

Activescan found nothing, does this mean my computer is some what clean for now?

#10 FZWG

FZWG

    R.I.P My Friend

  • Validating
  • PipPipPipPip
  • 569 posts

Posted 27 January 2006 - 07:20 PM

Run HijackThis, Scan
Check box for:

O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRxdm356YYUS

Select: Fix Checked

Restart in Safe Mode.

Go to Start > Control Panel >Add or Remove Programs and uninstall (if present) My Web Search or My Bar. It is not technically malware, but may bring malware with it. There are safer alternatives available such as the Google toolbar. Recommend that you remove it.

Search for and remove the following folder (bold):
C:\Program Files\MyWay

Reboot.

If you are not having malware problems, you are good to go!

Some suggestions to remain malware free:
Tony Klein’s article 'How Did I Get Infected In The First Place'
http://www.wildersse...ead.php?t=27971
Take a look at what the article has to offer and select the programs that suit your needs.

Also, the following are excellent programs that you may want to run on a regular basis:

Microsoft AntiSpyware:
http://www.microsoft...re/default.mspx

AdAware SE:
http://www.majorgeek...ownload506.html

Spybot Search and Destroy:
http://www.majorgeek...wnload2471.html

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...

Good luck!!
"June, 2007 Farethee Well"

#11 FZWG

FZWG

    R.I.P My Friend

  • Validating
  • PipPipPipPip
  • 569 posts

Posted 20 April 2006 - 08:44 PM

Solved
"June, 2007 Farethee Well"

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·