Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

hijack log

Started by lcm300 , Mar 03 2006 01:21 PM

  • This topic is locked This topic is locked
8 replies to this topic

#1 lcm300

lcm300

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 03 March 2006 - 01:21 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:01:39 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ipzrpak.exe
C:\WINDOWS\system32\dgfgql.exe
C:\WINDOWS\ipzrpakA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\klsx9e.exe
f:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
C:\geeksquad\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [eTrustPPAP] "f:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [ipzrpakA] C:\WINDOWS\ipzrpakA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\hr4m05h1e.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ipzrpak.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 March 2006 - 07:06 AM

Hello lcm300, Welcome to the forum.

This is what I suggest you do.


Please do not delete anything unless instructed to.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.

Next:

Please download the trial version of ewido anti-malware 3.5 here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 lcm300

lcm300

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 04 March 2006 - 09:20 AM

Below is my new hijack log followed by the wido log.

Windows pop-up with various sites.

Tim (Lcm300)

Logfile of HijackThis v1.99.1
Scan saved at 10:08:14 AM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\geeksquad\HijackThis.exe

O3 - Toolbar: Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [eTrustPPAP] "F:\Program Files\CA\eTrust

PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://cdn2.zone.msn...ro.cab34246.cab
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} -

C:\WINDOWS\system32\wdc1n.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad -

C:\WINDOWS\system32\en4sl1h71.dll (file missing)
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe

________________________

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:02:00 AM, 3/4/2006
+ Report-Checksum: BBF25781

+ Scan result:

HKU\S-1-5-21-1614895754-854245398-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
[676] C:\WINDOWS\system32\kzdkyr.dll -> Adware.Look2Me : Cleaned with backup
C:\aebcq9z5w.exe -> Downloader.Agent.afi : Cleaned with backup
C:\Documents and Settings\tim.TIM-HQWWOP0G5QX\Desktop\WINDOWS.000\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\Documents and Settings\tim.TIM-HQWWOP0G5QX\Desktop\WINDOWS.000\TEMP\Brilliant\bdeinsta2.dll -> Adware.Altnet : Cleaned with backup
C:\Documents and Settings\tim.TIM-HQWWOP0G5QX\Desktop\WINDOWS.000\TEMP\Brilliant\bdeplayer\BDEPlayer2.cab/bdeplayer2.dll -> Adware.BrilliantDigital : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Gnucleus\Downloads\CloneDVD v2 8 8 2 + Universal Patch zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\Gnucleus\Downloads\CloneDVD v2.8.8.2 and Patch 2.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\RealOne Player 6.0.10.446\Realone Player\setup.exe -> Dropper.Pakes : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116652.exe -> Downloader.VB.xr : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116655.exe -> Downloader.VB.vv : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116665.dll -> Adware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116685.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116694.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116699.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0116704.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0117690.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0117691.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0117694.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP204\A0117733.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117752.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117753.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117779.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117783.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117789.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117793.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117798.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0117802.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118004.exe -> Adware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118008.exe -> Adware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118135.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118143.exe -> Adware.MediaMotor : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118144.exe -> Downloader.VB.uc : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118146.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118151.exe -> Downloader.Adload.u : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118180.exe -> Downloader.VB.xu : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118181.exe -> Downloader.Adload.v : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118182.exe -> Downloader.VB.xv : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118183.exe -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118184.exe -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118185.exe -> Hijacker.StartPage.aib : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118187.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118198.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118199.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118200.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP205\A0118213.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118518.dll -> Adware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118632.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118957.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118963.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118964.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118969.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118979.dll -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0344325D-BEE3-4738-8A1F-68E96A5C7022}\RP206\A0118980.dll -> Adware.Look2Me : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\6=LE.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\seli.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\system32\kzdkyr.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lv8609lse.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mcspy.exe -> Downloader.Small.ckq : Cleaned with backup
C:\WINDOWS\system32\pre2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\qldsregn.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\Temp\Cookies\tim@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End

Thank you.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 March 2006 - 10:03 AM

Could you psot a new HJT log and turn Word Wrap OFF in Notepad please.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 lcm300

lcm300

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 04 March 2006 - 11:01 AM

The attached should be a version with word wrap turned off.


Logfile of HijackThis v1.99.1
Scan saved at 10:08:14 AM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\geeksquad\HijackThis.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [eTrustPPAP] "F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\en4sl1h71.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 March 2006 - 08:41 PM

Please do not delete anything unless instructed to.


Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 lcm300

lcm300

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 05 March 2006 - 05:10 AM

Below are the requested logs.
The windows are not opening up randomly anymore.

********
12:39 AM: | Start of Session, Sunday, March 05, 2006 |
12:39 AM: Spy Sweeper started
12:39 AM: Sweep initiated using definitions version 556
12:39 AM: Starting Memory Sweep
12:42 AM: Memory Sweep Complete, Elapsed Time: 00:02:52
12:42 AM: Starting Registry Sweep
12:42 AM: Found Adware: cws-aboutblank
12:42 AM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
12:42 AM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
12:42 AM: Found Adware: media-motor
12:42 AM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
12:42 AM: Found Adware: instafinder
12:42 AM: HKU\WRSS_Profile_S-1-5-21-1614895754-854245398-1202660629-1003\software\instafink\ (18 subtraces) (ID = 128666)
12:43 AM: Registry Sweep Complete, Elapsed Time:00:00:22
12:43 AM: Starting Cookie Sweep
12:43 AM: Found Spy Cookie: 2o7.net cookie
12:43 AM: tim@msnportal.112.2o7[1].txt (ID = 1958)
12:43 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:43 AM: Starting File Sweep
12:43 AM: Warning: Failed to read ADS-MFT entry 98556
12:44 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\sp1.cat". The system cannot find the file specified
12:44 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oem5.cat". The system cannot find the file specified
12:44 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\ieexcep.cat". The system cannot find the file specified
12:44 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\winsxs\\atl.dll". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\olddrmclien.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\drmclien.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\1.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oembios.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\mstsweb.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oem3.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oem4.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oem2.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\wmfsdk2.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\ims.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\msmsgs.cat". The system cannot find the file specified
12:45 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\hpcrdp.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\2.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oem6.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\q323172.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\iasnt4.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\vbs56nen.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\q326830.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\q324380.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\q318202_win2k.cat". The system cannot find the file specified
12:46 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\ntprint.cat". The system cannot find the file specified
12:47 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\wm320920_8.cat". The system cannot find the file specified
12:47 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\oem1.cat". The system cannot find the file specified
12:47 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\sp1". The system cannot find the file specified
12:47 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\mw770.cat". The system cannot find the file specified
12:47 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\mapimig.cat". The system cannot find the file specified
12:47 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\fp4.cat". The system cannot find the file specified
12:48 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\winsxs\\msvcirt.dll". The system cannot find the file specified
12:48 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\winsxs\\msvcrt.dll". The system cannot find the file specified
12:48 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\nt5.cat". The system cannot find the file specified
12:48 AM: Found Adware: tvmedia
12:48 AM: tvmknwrd.dll (ID = 81726)
12:48 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\winsxs\\msvcp60.dll". The system cannot find the file specified
12:48 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\nt5iis.cat". The system cannot find the file specified
12:48 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\system32\catroot\\nt5inf.cat". The system cannot find the file specified
12:49 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\winsxs\\mfc42u.dll". The system cannot find the file specified
12:49 AM: Warning: Failed to open file "c:\documents and settings\tim.tim-hqwwop0g5qx\desktop\windows.000\winsxs\\mfc42.dll". The system cannot find the file specified
1:25 AM: File Sweep Complete, Elapsed Time: 00:42:17
1:25 AM: Full Sweep has completed. Elapsed time 00:45:44
1:25 AM: Traces Found: 29
5:38 AM: Removal process initiated
5:38 AM: Quarantining All Traces: cws-aboutblank
5:38 AM: Quarantining All Traces: instafinder
5:38 AM: Quarantining All Traces: media-motor
5:38 AM: Quarantining All Traces: tvmedia
5:38 AM: Quarantining All Traces: 2o7.net cookie
5:38 AM: Removal process completed. Elapsed time 00:00:03
5:38 AM: Deletion from quarantine initiated
5:38 AM: Processing: 2o7.net cookie
5:38 AM: Processing: cws-aboutblank
5:38 AM: Processing: instafinder
5:38 AM: Processing: media-motor
5:38 AM: Processing: tvmedia
5:38 AM: Deletion from quarantine completed. Elapsed time 00:00:00
********
12:35 AM: | Start of Session, Sunday, March 05, 2006 |
12:35 AM: Spy Sweeper started
12:39 AM: | End of Session, Sunday, March 05, 2006 |


Logfile of HijackThis v1.99.1
Scan saved at 5:58:46 AM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\geeksquad\HijackThis.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [eTrustPPAP] "F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Thank you
Tim

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 March 2006 - 05:50 AM

Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 March 2006 - 02:05 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·