WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help with hijackthis.log

Started by drummermanrick , Feb 15 2006 07:10 PM

This topic is locked

10 replies to this topic

#1 drummermanrick

New Member

New Member
5 posts

Posted 15 February 2006 - 07:10 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:56:46 PM, on 2/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\CYBERA~1\casvc.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\PROGRA~1\CYBERA~1\pcs.exe
D:\windows\system32\rqdsregp.exe
D:\WINDOWS\system32\hpsw.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\wgse.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Ares Lite Edition\AresLite.exe
D:\WINDOWS\system32\swinrsap.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\YES\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - D:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] D:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
O4 - HKLM\..\Run: [5464] C:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [winsync] D:\WINDOWS\system32\owwcyq.exe reg_run
O4 - HKLM\..\Run: [{20-00-0E-E6-ZN}] D:\windows\system32\rqdsregp.exe FI002
O4 - HKLM\..\Run: [BrowserUpdateSched] D:\WINDOWS\system32\swinrsap.exe FI002
O4 - HKLM\..\Run: [susse] "D:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [0cw80lwc.dll] RUNDLL32.EXE 0cw80lwc.dll,b 135344
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: Zeno.lnk = D:\WINDOWS\system32\swinrsap.exe
O4 - Startup: Z_Start.lnk = D:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121039407869
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - D:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - D:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - D:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - D:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#2 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 22 February 2006 - 01:50 PM

drummermanrick,

Welcome to the forum, sorry about the delay but we are overwhelmed with logs.

You have the Qoologic Trojan on your system and running the Ewido Anti Maleware scan has been successful in removing this pest. Its important that it runs in Safemode.

We need to move HJT to its own permanant folder, after you run Ewido, we wont be able to proceed any further until you move HJT.

DO THIS FIRST
Your HIJACKTHIS program is current, but it is very important that it resides in its own folder.
We will use Hijackthis (HJT) to make changes to your system and HJT will make backups of those changes,
If HJT is not in its own folder, those backups could be lost.

Easy to fix,
* just go to MY COMPUTER > YOUR C:\ DRIVE and create a new folder and name it HIJACKTHIS .
* Now scroll to where you have HJT currently, right click on the HJT icon and select CUT .
* Now open the new folder you just created and right click within that folder and select PASTE .
* Now HJT should reside in C:\HIJACKTHIS\HIJACKTHIS.EXE

Download and install Ewido Anti-Malware
Ewido Anti-Malware
* Launch Ewido, there should be an icon on your desktop for it to double-click.
o Click on update
o You should see Update Complete when done.
o Now close out the program

Now reboot into Safemode
To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

Now open Ewido
o Click on scanner.
o Run a full system scan
o Let the program scan the machine.
o While the scan is in progress you will be prompted to clean files, click OK.
o Select Perform action on all infections
o Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
o Click Save report.
o Save the report to your desktop.

Post a new HJT log along with the Ewido report, we still may have more to do.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#3 drummermanrick

New Member

New Member
5 posts

Posted 22 February 2006 - 08:16 PM

I followed your instructions. Here's the output from the ewido scan

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:49:25 PM, 2/22/2006
+ Report-Checksum: 7B422500

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSID -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurVer -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1 -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Adware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Adware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Adware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1004\Software\IST -> Adware.ISTBar : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -> Downloader.ConHook.l : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1004\Software\TimeSink, Inc. -> Adware.TimeSink : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1004\Software\TimeSink, Inc.\TsAdBot -> Adware.TimeSink : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1004\Software\TimeSink, Inc.\TsAdBot\Clients -> Adware.TimeSink : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1004\Software\TimeSink, Inc.\TsAdBot\Clients\ba016002 -> Adware.TimeSink : Cleaned with backup
HKU\S-1-5-18\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\kc.exe -> Trojan.LowZones.dk : Cleaned with backup
C:\mmx888.exe -> Downloader.VB.sh : Cleaned with backup
C:\elt888.exe -> Logger.Agent.hi : Cleaned with backup
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\qxxj.exe -> Downloader.Qoologic.ax : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
D:\Documents and Settings\LocalService\Cookies\system@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0GC964Y8\eeedo[1].exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0GC964Y8\mm83[1].ocx -> Downloader.VB.ov : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0GC964Y8\mmx888[1].exe -> Downloader.VB.sh : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0GC964Y8\optimize[1].exe -> Downloader.Dyfuca.ei : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8L2WLFP4\elitemediapop[1].exe -> Trojan.LowZones.am : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8L2WLFP4\elt888[1].exe -> Logger.Agent.hi : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8L2WLFP4\titdric[1].cab/drwst.exe -> Adware.MDH : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8L2WLFP4\ZIFI002[1].exe -> Adware.ZenoSearch : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9BVTGDSE\876057[1].exe -> Adware.Mirar : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9BVTGDSE\nem220[1].dll -> Downloader.Dyfuca : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9BVTGDSE\optimize[1].exe -> Downloader.Dyfuca.ei : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9BVTGDSE\surv3[1].exe -> Downloader.VB.vv : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9BVTGDSE\whCC-GIANT[1].exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRXCQETK\876029[1].exe -> Adware.SaveNow : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRXCQETK\htwfdr[1].exe -> Downloader.Small.bmx : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRXCQETK\installer_251[1].exe -> Downloader.Qoologic.al : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRXCQETK\kcash[1].exe -> Trojan.LowZones.dk : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRXCQETK\ltndload[1].dll -> Adware.Sud : Cleaned with backup
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRXCQETK\mm63[1].ocx -> Adware.MediaMotor : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@banner.goldenpalace[2].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@com[2].txt -> TrackingCookie.Com : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@e-2dj6wfmywjczokq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@eztracks.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@goldenpalace[1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@salesforce.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@www.goldenpalace[1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Cookies\rick beckham@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Local Settings\Temp\cln4.tmp -> Downloader.Dyfuca.dp : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Local Settings\Temp\tm31202.exe -> Downloader.Qoologic.ax : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Local Settings\Temporary Internet Files\Content.IE5\S54FSDYZ\3[1].bin -> Dropper.Agent.abb : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Local Settings\Temporary Internet Files\Content.IE5\S54FSDYZ\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Local Settings\Temporary Internet Files\Content.IE5\S54FSDYZ\rcverlib[2].exe -> Downloader.Qoologic.ax : Cleaned with backup
D:\Documents and Settings\Rick Beckham\Local Settings\Temporary Internet Files\Content.IE5\SHE7MVWL\Microsoft_Windows_Advanced_Upgrade_Wizard_Logo______________________________________________________________________[1].emf -> Exploit.MS05-053-WMF : Cleaned with backup
D:\Program Files\Jalmp\jalmp.dll -> Adware.Suggestor : Cleaned with backup
D:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
D:\Program Files\whInstall\whAgent.inf -> Adware.Webhancer : Cleaned with backup
D:\Program Files\whInstall\whInstaller.ini -> Adware.Webhancer : Cleaned with backup
D:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
D:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\eciv.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
D:\WINDOWS\htwfdr.exe -> Downloader.Small.bmx : Cleaned with backup
D:\WINDOWS\mm63.ocx -> Adware.MediaMotor : Cleaned with backup
D:\WINDOWS\mm83.ocx -> Downloader.VB.ov : Cleaned with backup
D:\WINDOWS\nem220.dll -> Downloader.Dyfuca : Cleaned with backup
D:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
D:\WINDOWS\system32\0cw80lwc.dll -> Adware.Sud : Cleaned with backup
D:\WINDOWS\system32\adsetup.exe -> Dropper.Agent.abb : Cleaned with backup
D:\WINDOWS\system32\bffdkvf.exe -> Downloader.Qoologic.ax : Cleaned with backup
D:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
D:\WINDOWS\system32\hpsw.exe -> Adware.Suggestor : Cleaned with backup
D:\WINDOWS\system32\kffwg.dll -> Downloader.Qoologic.ax : Cleaned with backup
D:\WINDOWS\system32\owwcyq.exe -> Downloader.Qoologic.ax : Cleaned with backup
D:\WINDOWS\system32\rqdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
D:\WINDOWS\system32\swinrsap.exe -> Adware.ZenoSearch : Cleaned with backup
D:\WINDOWS\system32\vgactl.cpl -> Downloader.Qoologic.ad : Cleaned with backup
D:\WINDOWS\system32\wgse.exe -> Trojan.Runner.h : Cleaned with backup
D:\WINDOWS\system32\WinATS.dll -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\system32\wuauclt.dll -> Downloader.Qoologic.ae : Cleaned with backup
D:\WINDOWS\system32\yppkq.dat -> Downloader.Qoologic.ax : Cleaned with backup
D:\WINDOWS\Temp\F3C1.tmp/drwst.exe -> Adware.MDH : Cleaned with backup
D:\WINDOWS\Temp\mit7A5.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\Temp\mit7A5.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\Temp\NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
D:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
D:\WINDOWS\wsem303.dll -> Downloader.Dyfuca.dt : Cleaned with backup
D:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup

::Report End

And here's the hijackthis report

Logfile of HijackThis v1.99.1
Scan saved at 7:50:43 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\YES\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Glitch - {C3F699FD-5F86-451B-8150-81979857047E} - D:\WINDOWS\system32\nsv4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] D:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
O4 - HKLM\..\Run: [5464] C:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] D:\WINDOWS\system32\swinrsai.exe FI002
O4 - HKLM\..\Run: [0cw80lwc.dll] RUNDLL32.EXE 0cw80lwc.dll,b 135344
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://D:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121039407869
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - D:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - D:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - D:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - D:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 22 February 2006 - 09:26 PM

drummermanrick, After we run a program, you need to reboot , it is the reboot that helps remove the bad files on your system, my fault for not mentioning it. So reboot your computer in normal mode and post a new HJT log in normal mode. Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#5 drummermanrick

New Member

New Member
5 posts

Posted 23 February 2006 - 06:09 PM

Ken - still getting a few popups. Here's the logfile after reboot.

Logfile of HijackThis v1.99.1
Scan saved at 6:02:31 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\CYBERA~1\casvc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\PROGRA~1\CYBERA~1\pcs.exe
D:\WINDOWS\system32\swinrsai.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\YES\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Glitch - {C3F699FD-5F86-451B-8150-81979857047E} - D:\WINDOWS\system32\nsv4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] D:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
O4 - HKLM\..\Run: [5464] C:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] D:\WINDOWS\system32\swinrsai.exe FI002
O4 - HKLM\..\Run: [0cw80lwc.dll] RUNDLL32.EXE 0cw80lwc.dll,b 135344
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: Zeno.lnk = D:\WINDOWS\system32\swinrsai.exe
O4 - Startup: Z_Start.lnk = D:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121039407869
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - D:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - D:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - D:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - D:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 23 February 2006 - 07:52 PM

Rick,

We have a little work to do here, most of the infection is gone that we fixed but you have an abundance of other trojans and whatnot that we need to get rid of.

Lets do this...Print this all out as we have to disconnect from the internet for part of the fix.

* Go to Start> Run and type in services.msc then press Enter
* Scroll down to Local Security Authority Subsystem Service
* Double Click that service to open it.
* Click on Stop Service.
* Then change the Startup Type to Disabled.
* OK your way out of the program.

Now, lets do the rest in Safemode with windows still showing all files and folders.

Open HJT Scan Only, the only window you should have open is HJT, put a checkmark in the following entries and click on Fix Checked Take your time and dont miss any.

* R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
* O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem220.dll (file missing)
* O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll (file missing)
* O2 - BHO: Glitch - {C3F699FD-5F86-451B-8150-81979857047E} - D:\WINDOWS\system32\nsv4.dll
* O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - D:\WINDOWS\system32\WinNB57.dll (file missing)
* O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
* O4 - HKLM\..\Run: [5464] C:\windows\eee2.exe
* O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
* O4 - HKLM\..\Run: [BrowserUpdateSched] D:\WINDOWS\system32\swinrsai.exe FI002
* O4 - Startup: Z_Start.lnk = D:\WINDOWS\system32\dwdsregt.exe
* O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll (file missing)
* O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - D:\WINDOWS\system32\wuauclt.dll (file missing)
* O15 - Trusted Zone: *.elitemediagroup.net
* O15 - Trusted Zone: *.media-motor.net
* O15 - Trusted Zone: *.popuppers.com
* O15 - Trusted Zone: http://click.getmirar.com (HKLM)
* O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
* O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
* O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
* O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) -
http://awbeta.net-nu.../FIX/WinATS.cab
* O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - D:\PROGRA~1\Jalmp\jalmp.dll
* O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - D:\WINDOWS\scvhost.exe (file missing)

Still in Safemode, delete these files in Red.

D:\PROGRA~1\Jalmp\jalmp.dll <-- Do a search for this one, see if there is a jalmp folder in your program files, if so delete it.
C:\windows\eee2.exe
D:\WINDOWS\nem220.dll
D:\WINDOWS\scvhost.exe <-- you can delete this one safely, the legit file is in D:\WINDOWS\system32\svchost.exe - Note the spelling
scvhost.exe <-- Bad
svchost.exe <-- Legit

D:\WINDOWS\system32\dwdsregt.exe
D:\WINDOWS\system32\nsv4.dll
D:\WINDOWS\system32\swinrsai.exe
D:\WINDOWS\system32\wuauclt.dll <-- Be careful with this one, you want to delete wuauclt.dll . Not wuauclt.exe.
wuauclt.dll <-- Bad
wuauclt.exe <-- Legit

D:\WINDOWS\system32\WinNB57.dll

Reboot normally

Download and Install CCleaner

* Click on Run Cleaner
* Run the Issues Scan < When it asks you to backup the Registry..Say Yes

Tutorial for CCleaner
http://www.ccleaner.com/help/tour1.asp

Now open up Internet Explorer and go to Tools> Internet Options> Security> Trusted Sites> Sites and remove any entries that are in there.

I would like you to run Ewido again, you can run it in normal mode this time, please post back with a new Ewido log and a new HJT log and lets see if we got it all.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#7 drummermanrick

New Member

New Member
5 posts

Posted 24 February 2006 - 07:20 AM

Ken - ok, done everything you recommended. I noticed there were a few hijackthis logs you recommended I check that wasn't present when I ran it. Here's the latest scan after doing what you asked:
---------------
Logfile of HijackThis v1.99.1
Scan saved at 7:10:57 AM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Ares Lite Edition\AresLite.exe
D:\PROGRA~1\CYBERA~1\casvc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\YES\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] D:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [0cw80lwc.dll] RUNDLL32.EXE 0cw80lwc.dll,b 135344
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121039407869
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - D:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - D:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-----------------------
and here's the ewido report
-----------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:09:20 AM, 2/24/2006
+ Report-Checksum: ADE2834A

+ Scan result:

HKU\S-1-5-21-484763869-839522115-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-484763869-839522115-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup

::Report End

#8 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 24 February 2006 - 08:35 AM

Rick,

Your log is looking so much better.

Everything you have done was real positive. But there are a few entries we need to fix.

Open HJT Scan Only , close your browser and all open windows, check these entries and click on Fix Checked

* R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
* O4 - HKLM\..\Run: [0cw80lwc.dll] RUNDLL32.EXE 0cw80lwc.dll,b 135344

* O20 - AppInit_DLLs: cahooknt.dll <-- this one could be related to a faxing program you are running. If you have no faxing program, then fix this one to.

Boot into Safemode and see if you can find these two files in Red and delete them if found. They could be in either C:\windows or C:\windows\system32

0cw80lwc.dll
cahooknt.dll <-- only delete this one if you remove the 020 line with HJT

Then reboot normally and post a new log please and let me know how your system is running now.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#9 drummermanrick

New Member

New Member
5 posts

Posted 25 February 2006 - 07:59 AM

Ken - all instructions followed, here's the (hopefully) last report.
-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:47:16 AM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Ares Lite Edition\AresLite.exe
D:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\PROGRA~1\CYBERA~1\casvc.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\YES\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] D:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121039407869
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - D:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - D:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for all your help, I will be making a donation.

#10 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 25 February 2006 - 08:54 AM

Good Morning Rick,

here's the (hopefully) last report.

Why, dont you like me

Your log looks clean :thumbup:

It was a pleasure working with you , you followed all my instructions real well.

This entry is taking me nowhere. You can fix it with HJT if you wish.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true

Here are some tips and free tools to install to help keep you more secure on the internt.

* Download and Install CCleaner,
* Click on RUN TOOL
* This program is safe to run, but it will delete your cookies, so if there are any you want to keep,
* Go to Options> Cookies and move any you want to keep from the left window to the right window.

* When you run the Issues Scan before you click on Remove Selected Issues, it will ask you to backup the registry, Say Yes.

* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.

* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.

Now Empty your Recycle Bin

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember

* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.

* Here are Free Anti-Virus Programs if you need one

AVG Free Edition
AntVir Personal Edition

* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.

* Spyware Blaster It will prevent most spyware from ever being installed.

* Spyware Guard It offers realtime protection from spyware installation attempts.

* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.

* IE- Spyad IE-Spyad places over 4000 web sites and domains
in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed,
although you will still be able to connect to the sites.

* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use
them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this
for awhile, you will want to make it your default.

* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine,
this has a good spam filter and is more secure than Outlook Express.

* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't
access the internet without it.

* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.

* Go to START/ CONTROL PANEL> PERFORMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.

Thanks for using Tom Coyote, I will keep this thread open for a few days for you in case you have any other questions or concerns.

Ken......who can now go get a beer

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#11 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 07 March 2006 - 10:23 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

Body Background

skin color theme