Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Can't access Tom Coyote support forum


  • This topic is locked This topic is locked
14 replies to this topic

#1 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 25 March 2006 - 06:45 PM

Hello daveai,
This is the HJT log sent from an uninfected computer.You asked for additional info re: status of not being able to access TC forum. I can reach the Home page on TomCoyote site, but when I click on forums to login, it won't open. Also can't reach other sites for Malware or Spyware removal. I have Spybot S& D.
Ad-Aware SE . I am unable to click on any links to the forum site through previous responses in emails also.
Sure appreciate any help.



gfile of HijackThis v1.99.1
Scan saved at 7:02:45 AM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\hijackthis.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgpin.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xcwmyro.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://libcam.concor...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O20 - Winlogon Notify: zopenssl - C:\WINDOWS\SYSTEM32\zopenssl.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 25 March 2006 - 07:27 PM

Hello rml, Welcome to the forum.

Not going to be easy beings you can't get the infected PC here, but we'll see what we can do.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
SpywareRemover



Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\zopenssl.dll]


On the desktop, doubleclick fix.reg and allow it to run. Let it merge.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgpin.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xcwmyro.exe
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O20 - Winlogon Notify: zopenssl - C:\WINDOWS\SYSTEM32\zopenssl.dll


Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\WINDOWS\SYSTEM32\zopenssl.dll
C:\WINDOWS\system32\mgpin.exe


Open C:\Windows\Prefetch\ Delete ALL files in this folder.


Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 26 March 2006 - 07:05 PM

Hello LDTATE,
I was successful in following all of the previous instructions,however these entries were not present on the HJT log: RO-HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=\blank.htm
04-HKLM\..\Run:[SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe-boot
The other items , I checked to fix, but it would not delete the items. I tried several times.
Ad-Aware Se persistently finds this Registry Value: Software\Microsoftnt\currentversion\winlogon"Shell"(explorer.exe,C:windows\system32\mgpin.exe
It will not delete. I also tried to find this in Regedit, but could not locate it
The system is still corrupt,complete w/ pop-ups ,and still unable to access the forum.
Here is the current HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:13:10 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Hijackthis\hijackthis.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgpin.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xcwmyro.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://libcam.concor...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O20 - Winlogon Notify: zopenssl - C:\WINDOWS\SYSTEM32\zopenssl.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 March 2006 - 07:10 PM

Please do not delete anything unless instructed to.


Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 01 April 2006 - 11:22 AM

Hello, Just got this response, still working from another computer. tried to copy & paste this to an email. Will post back is successful. Thanks......

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 11:25 AM

OK :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 01 April 2006 - 04:54 PM

LDTATE,
You are great!!!!!!! Obviously , the SpySweeper worked, and I am able to access the forum again.
Here is the log file:
4:16 PM: | Start of Session, Saturday, April 01, 2006 |
4:16 PM: Spy Sweeper started
4:16 PM: Sweep initiated using definitions version 646
4:16 PM: Starting Memory Sweep
4:17 PM: Found Adware: clkoptimizer
4:17 PM: Detected running threat: C:\WINDOWS\system32\dexefua.dll (ID = 268933)
4:20 PM: Detected running threat: C:\WINDOWS\system32\mgpin.exe (ID = 268934)
4:20 PM: Detected running threat: C:\WINDOWS\system32\wwyenm.exe (ID = 268995)
4:20 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || vodvnk (ID = 0)
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-501\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-500\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1011\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:20 PM: HKU\S-1-5-21-3569660965-917563655-3757435101-1006\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1005\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:20 PM: Detected running threat: C:\WINDOWS\system32\mgpin.exe (ID = 268934)
4:20 PM: Detected running threat: C:\WINDOWS\system32\mgpin.exe (ID = 268934)
4:20 PM: Memory Sweep Complete, Elapsed Time: 00:04:17
4:20 PM: Starting Registry Sweep
4:20 PM: Found Adware: dealhelper
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1011\software\timesynchonization\ (1 subtraces) (ID = 124818)
4:20 PM: Found Adware: targetsaver
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1011\software\microsoft\windows\currentversion\run\ || tsa2 (ID = 143603)
4:20 PM: Found Adware: sidesearch
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1011\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
4:20 PM: Found Adware: delfin
4:20 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1005\software\delfin\ (3 subtraces) (ID = 124848)
4:20 PM: Registry Sweep Complete, Elapsed Time:00:00:30
4:20 PM: Starting Cookie Sweep
4:20 PM: Found Spy Cookie: adknowledge cookie
4:20 PM: edward@adknowledge[2].txt (ID = 2072)
4:20 PM: Found Spy Cookie: azjmp cookie
4:20 PM: edward@azjmp[2].txt (ID = 2270)
4:20 PM: Found Spy Cookie: exitexchange cookie
4:20 PM: edward@exitexchange[1].txt (ID = 2633)
4:20 PM: Found Spy Cookie: ic-live cookie
4:20 PM: edward@ic-live[1].txt (ID = 2821)
4:20 PM: Found Spy Cookie: 247realmedia cookie
4:20 PM: rob@247realmedia[1].txt (ID = 1953)
4:20 PM: Found Spy Cookie: 2o7.net cookie
4:20 PM: rob@2o7[2].txt (ID = 1957)
4:20 PM: Found Spy Cookie: 80503492 cookie
4:20 PM: rob@80503492[1].txt (ID = 2013)
4:20 PM: Found Spy Cookie: websponsors cookie
4:20 PM: rob@a.websponsors[2].txt (ID = 3665)
4:20 PM: Found Spy Cookie: about cookie
4:20 PM: rob@about[2].txt (ID = 2037)
4:20 PM: Found Spy Cookie: yieldmanager cookie
4:20 PM: rob@ad.yieldmanager[2].txt (ID = 3751)
4:20 PM: Found Spy Cookie: adecn cookie
4:20 PM: rob@adecn[1].txt (ID = 2063)
4:20 PM: rob@adknowledge[2].txt (ID = 2072)
4:20 PM: Found Spy Cookie: hbmediapro cookie
4:20 PM: rob@adopt.hbmediapro[2].txt (ID = 2768)
4:20 PM: Found Spy Cookie: specificclick.com cookie
4:20 PM: rob@adopt.specificclick[2].txt (ID = 3400)
4:20 PM: Found Spy Cookie: advertising cookie
4:20 PM: rob@advertising[2].txt (ID = 2175)
4:20 PM: Found Spy Cookie: ask cookie
4:20 PM: rob@ask[1].txt (ID = 2245)
4:20 PM: Found Spy Cookie: atlas dmt cookie
4:20 PM: rob@atdmt[1].txt (ID = 2253)
4:20 PM: rob@azjmp[1].txt (ID = 2270)
4:20 PM: Found Spy Cookie: burstnet cookie
4:20 PM: rob@burstnet[1].txt (ID = 2336)
4:20 PM: Found Spy Cookie: casalemedia cookie
4:20 PM: rob@casalemedia[1].txt (ID = 2354)
4:20 PM: rob@compnetworking.about[2].txt (ID = 2038)
4:20 PM: Found Spy Cookie: overture cookie
4:20 PM: rob@data2.perf.overture[2].txt (ID = 3106)
4:20 PM: Found Spy Cookie: directtrack cookie
4:20 PM: rob@directtrack[1].txt (ID = 2527)
4:20 PM: Found Spy Cookie: epilot cookie
4:20 PM: rob@epilot[1].txt (ID = 2621)
4:20 PM: rob@exitexchange[1].txt (ID = 2633)
4:20 PM: Found Spy Cookie: clickandtrack cookie
4:20 PM: rob@hits.clickandtrack[1].txt (ID = 2397)
4:20 PM: Found Spy Cookie: screensavers.com cookie
4:20 PM: rob@i.screensavers[1].txt (ID = 3298)
4:20 PM: Found Spy Cookie: metareward.com cookie
4:20 PM: rob@metareward[2].txt (ID = 2990)
4:20 PM: rob@microsofteup.112.2o7[1].txt (ID = 1958)
4:20 PM: Found Spy Cookie: nuker cookie
4:20 PM: rob@nuker[2].txt (ID = 3085)
4:20 PM: rob@partygaming.122.2o7[1].txt (ID = 1958)
4:20 PM: Found Spy Cookie: partypoker cookie
4:20 PM: rob@partypoker[2].txt (ID = 3111)
4:20 PM: Found Spy Cookie: pro-market cookie
4:20 PM: rob@pro-market[1].txt (ID = 3197)
4:20 PM: rob@rapidresponse.directtrack[2].txt (ID = 2528)
4:20 PM: Found Spy Cookie: realmedia cookie
4:20 PM: rob@realmedia[2].txt (ID = 3235)
4:20 PM: Found Spy Cookie: reliablestats cookie
4:20 PM: rob@stats1.reliablestats[2].txt (ID = 3254)
4:20 PM: Found Spy Cookie: tacoda cookie
4:20 PM: rob@tacoda[1].txt (ID = 6444)
4:20 PM: Found Spy Cookie: toplist cookie
4:20 PM: rob@toplist[1].txt (ID = 3557)
4:20 PM: Found Spy Cookie: tribalfusion cookie
4:20 PM: rob@tribalfusion[2].txt (ID = 3589)
4:20 PM: Found Spy Cookie: web-stat cookie
4:20 PM: rob@web-stat[2].txt (ID = 3648)
4:20 PM: Found Spy Cookie: webpower cookie
4:20 PM: rob@webpower[2].txt (ID = 3660)
4:20 PM: Found Spy Cookie: winantiviruspro cookie
4:21 PM: rob@winantiviruspro[1].txt (ID = 3689)
4:21 PM: Found Spy Cookie: myaffiliateprogram.com cookie
4:21 PM: rob@www.myaffiliateprogram[2].txt (ID = 3032)
4:21 PM: rob@www.screensavers[1].txt (ID = 3298)
4:21 PM: rob@yieldmanager[2].txt (ID = 3749)
4:21 PM: Found Spy Cookie: adserver cookie
4:21 PM: rob@z1.adserver[1].txt (ID = 2142)
4:21 PM: Found Spy Cookie: zedo cookie
4:21 PM: rob@zedo[1].txt (ID = 3762)
4:21 PM: clynch@ad.yieldmanager[2].txt (ID = 3751)
4:21 PM: Found Spy Cookie: addynamix cookie
4:21 PM: clynch@ads.addynamix[2].txt (ID = 2062)
4:21 PM: clynch@advertising[2].txt (ID = 2175)
4:21 PM: clynch@atdmt[2].txt (ID = 2253)
4:21 PM: Found Spy Cookie: mediaplex cookie
4:21 PM: clynch@mediaplex[2].txt (ID = 6442)
4:21 PM: Found Spy Cookie: nextag cookie
4:21 PM: clynch@nextag[2].txt (ID = 5014)
4:21 PM: Found Spy Cookie: questionmarket cookie
4:21 PM: clynch@questionmarket[1].txt (ID = 3217)
4:21 PM: Found Spy Cookie: coremetrics cookie
4:21 PM: clynch@twci.coremetrics[1].txt (ID = 2472)
4:21 PM: clynch@zedo[1].txt (ID = 3762)
4:21 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
4:21 PM: Starting File Sweep
4:21 PM: Found Adware: great net downloadware
4:21 PM: c:\program files\medialoads (205 subtraces) (ID = -2147481081)
4:23 PM: Found System Monitor: pc-controller
4:23 PM: setup.exe (ID = 273574)
4:24 PM: Found Adware: clipgenie
4:24 PM: main.html (ID = 53069)
4:26 PM: Found Adware: dollarrevenue
4:26 PM: keyboard4.exe (ID = 268841)
4:26 PM: medialoads.lnk (ID = 59302)
4:33 PM: Found Adware: 180search assistant/zango
4:33 PM: salmau.dat (ID = 93788)
4:38 PM: scroller.swf (ID = 53090)
4:40 PM: f1_2b_categories.html (ID = 53045)
4:41 PM: Found Adware: brilliant digital
4:41 PM: bde3d_refp4.dll (ID = 51734)
4:42 PM: player.html (ID = 53078)
4:42 PM: playerslices.htm (ID = 53080)
4:45 PM: grvpreview.wmv (ID = 53061)
4:46 PM: Found Adware: topsearch
4:46 PM: topsearch.dll (ID = 79735)
4:55 PM: xcwmyro.exe (ID = 268932)
4:55 PM: wwyenm.exe (ID = 268995)
4:55 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || vodvnk (ID = 0)
4:55 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-501\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:55 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-500\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:55 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1011\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:55 PM: HKU\S-1-5-21-3569660965-917563655-3757435101-1006\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:55 PM: HKU\WRSS_Profile_S-1-5-21-3569660965-917563655-3757435101-1005\Software\Microsoft\Windows\CurrentVersion\Run || slkwo (ID = 0)
4:55 PM: mgpin.exe (ID = 268934)
4:55 PM: ofkfu.exe (ID = 268995)
4:55 PM: cunha.dat (ID = 268995)
4:55 PM: dexefua.dll (ID = 268933)
4:58 PM: launch.html (ID = 53068)
4:58 PM: f1_1.html (ID = 53043)
4:58 PM: f1_2a.html (ID = 53044)
4:58 PM: f1_3.html (ID = 53046)
4:58 PM: f2.html (ID = 53047)
4:58 PM: f3_1.html (ID = 53048)
4:58 PM: f3_2a_player.html (ID = 53049)
4:58 PM: f3_2b.html (ID = 53050)
4:58 PM: f3_3.html (ID = 53051)
4:58 PM: f3_4a_files.html (ID = 53052)
4:58 PM: f3_4b.html (ID = 53053)
4:58 PM: f3_5.html (ID = 53054)
4:58 PM: Warning: Failed to access drive D:
4:58 PM: Warning: Failed to access drive E:
4:58 PM: Found System Monitor: potentially rootkit-masked files
4:58 PM: zopenssld.sys (ID = 0)
4:58 PM: zopenssl.dll (ID = 0)
4:58 PM: setrefresh.zip (ID = 273574)
4:59 PM: Warning: Invalid file - not a PKZip file
4:59 PM: Warning: Invalid Stream
4:59 PM: File Sweep Complete, Elapsed Time: 00:38:15
4:59 PM: Full Sweep has completed. Elapsed time 00:43:16
4:59 PM: Traces Found: 320
5:04 PM: Removal process initiated
5:05 PM: Quarantining All Traces: 180search assistant/zango
5:05 PM: Quarantining All Traces: clkoptimizer
5:05 PM: clkoptimizer is in use. It will be removed on reboot.
5:05 PM: wwyenm.exe is in use. It will be removed on reboot.
5:05 PM: mgpin.exe is in use. It will be removed on reboot.
5:05 PM: ofkfu.exe is in use. It will be removed on reboot.
5:05 PM: dexefua.dll is in use. It will be removed on reboot.
5:05 PM: C:\WINDOWS\system32\dexefua.dll is in use. It will be removed on reboot.
5:05 PM: C:\WINDOWS\system32\mgpin.exe is in use. It will be removed on reboot.
5:05 PM: C:\WINDOWS\system32\wwyenm.exe is in use. It will be removed on reboot.
5:05 PM: C:\WINDOWS\system32\mgpin.exe is in use. It will be removed on reboot.
5:05 PM: C:\WINDOWS\system32\mgpin.exe is in use. It will be removed on reboot.
5:05 PM: Quarantining All Traces: pc-controller
5:05 PM: Quarantining All Traces: potentially rootkit-masked files
5:05 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
5:05 PM: zopenssld.sys is in use. It will be removed on reboot.
5:05 PM: zopenssl.dll is in use. It will be removed on reboot.
5:05 PM: Quarantining All Traces: delfin
5:05 PM: Quarantining All Traces: dollarrevenue
5:05 PM: Quarantining All Traces: sidesearch
5:05 PM: Quarantining All Traces: brilliant digital
5:05 PM: Quarantining All Traces: clipgenie
5:05 PM: Quarantining All Traces: dealhelper
5:05 PM: Quarantining All Traces: great net downloadware
5:05 PM: Quarantining All Traces: targetsaver
5:06 PM: Quarantining All Traces: topsearch
5:06 PM: Quarantining All Traces: 247realmedia cookie
5:06 PM: Quarantining All Traces: 2o7.net cookie
5:06 PM: Quarantining All Traces: 80503492 cookie
5:06 PM: Quarantining All Traces: about cookie
5:06 PM: Quarantining All Traces: addynamix cookie
5:06 PM: Quarantining All Traces: adecn cookie
5:06 PM: Quarantining All Traces: adknowledge cookie
5:06 PM: Quarantining All Traces: adserver cookie
5:06 PM: Quarantining All Traces: advertising cookie
5:06 PM: Quarantining All Traces: ask cookie
5:06 PM: Quarantining All Traces: atlas dmt cookie
5:06 PM: Quarantining All Traces: azjmp cookie
5:06 PM: Quarantining All Traces: burstnet cookie
5:06 PM: Quarantining All Traces: casalemedia cookie
5:06 PM: Quarantining All Traces: clickandtrack cookie
5:06 PM: Quarantining All Traces: coremetrics cookie
5:06 PM: Quarantining All Traces: directtrack cookie
5:06 PM: Quarantining All Traces: epilot cookie
5:06 PM: Quarantining All Traces: exitexchange cookie
5:06 PM: Quarantining All Traces: hbmediapro cookie
5:06 PM: Quarantining All Traces: ic-live cookie
5:06 PM: Quarantining All Traces: mediaplex cookie
5:06 PM: Quarantining All Traces: metareward.com cookie
5:06 PM: Quarantining All Traces: myaffiliateprogram.com cookie
5:06 PM: Quarantining All Traces: nextag cookie
5:06 PM: Quarantining All Traces: nuker cookie
5:06 PM: Quarantining All Traces: overture cookie
5:06 PM: Quarantining All Traces: partypoker cookie
5:06 PM: Quarantining All Traces: pro-market cookie
5:06 PM: Quarantining All Traces: questionmarket cookie
5:06 PM: Quarantining All Traces: realmedia cookie
5:06 PM: Quarantining All Traces: reliablestats cookie
5:06 PM: Quarantining All Traces: screensavers.com cookie
5:06 PM: Quarantining All Traces: specificclick.com cookie
5:06 PM: Quarantining All Traces: tacoda cookie
5:06 PM: Quarantining All Traces: toplist cookie
5:06 PM: Quarantining All Traces: tribalfusion cookie
5:06 PM: Quarantining All Traces: webpower cookie
5:06 PM: Quarantining All Traces: websponsors cookie
5:06 PM: Quarantining All Traces: web-stat cookie
5:06 PM: Quarantining All Traces: winantiviruspro cookie
5:06 PM: Quarantining All Traces: yieldmanager cookie
5:06 PM: Quarantining All Traces: zedo cookie
5:06 PM: Warning: Launched explorer.exe
5:06 PM: Warning: Quarantine process could not restart Explorer.
5:06 PM: Preparing to restart your computer. Please wait...
5:06 PM: Removal process completed. Elapsed time 00:02:08
********
4:13 PM: | Start of Session, Saturday, April 01, 2006 |
4:13 PM: Spy Sweeper started
4:14 PM: Your spyware definitions have been updated.
4:16 PM: | End of Session, Saturday



Here is HJT log:

ile of HijackThis v1.99.1
Scan saved at 5:43:36 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\hijackthis.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgpin.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xcwmyro.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://libcam.concor...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: zopenssl - zopenssl.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Will wait for your advice on what to do next.

Thank you so much...

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 05:42 PM

Great :thumbup:


Please do not delete anything unless instructed to.


If spy sweeper complains, please allow the changes.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgpin.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xcwmyro.exe
O20 - Winlogon Notify: zopenssl - zopenssl.dll (file missing)


Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\WINDOWS\system32\mgpin.exe
C:\WINDOWS\SYSTEM32\xcwmyro.exe



Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 01 April 2006 - 06:24 PM

Ran HJT, the items are still there. System seems to be operating well now though, no pop-ups


ogfile of HijackThis v1.99.1
Scan saved at 7:11:13 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\hijackthis.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://libcam.concor...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by rml, 01 April 2006 - 06:33 PM.


#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 06:37 PM

Ran HJT, the items are still there.

I don't see them in your log.
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgpin.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xcwmyro.exe
O20 - Winlogon Notify: zopenssl - zopenssl.dll (file missing)

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 01 April 2006 - 07:13 PM

Good deal. Just ran Ad-Aware SE personal w/ no registry values or keys identified, so does this mean that everything is cool? There are some back-ups in Sybot S & D. Should I delete these just to be sure? I honestly can't tell you how much help you've been. Thanks again, rml :D

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 07:15 PM

There are some back-ups in Sybot S & D. Should I delete these just to be sure?

Yes.

Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 rml

rml

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts

Posted 01 April 2006 - 07:26 PM

System restore is off--- will create new restore point, and take advantage of the other tips you sent. Thank you once again LDTATE--- good job............... :wavey:

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 07:27 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 07:32 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users