View Full Version : CoolWWWsearch Problem
I am a new member and am posting here because I couldn't figure out how to start new post. :rolleyes:
The first post in this thread could almost have been written by me. I have the same problems with CoolWWWSearch, and also a couple of others called Trek Blue Error Nuker & Adware.SearchPage.
I am running the following programs:
Norton Antivirus
Spybot S&D
AdAware 6
Microsoft's AntiSpyware
Spyware Blaster
BHO Demon
Panicware Popup Stopper & AntiSpyware
Nothing has been able to permanently get rid of my recurring problems. I can run Microsoft's AntiSpyware and it may find 0-3 problems, say it removed them, then turn around and run Spybot and it will find from 20 to 1000.
Four of my programs are giving me pop-ups telling me about attempted changes. This happens every 20 seconds or so, until I get so tired of it I turn them off.
At one point I couldn't even get IE to start. I don't know what fixed that! I am not having as much problem with home page hijacking as when I started, probably because of all the different programs telling me about the attempted change.
I also get the very official looking pop-up that was mentioned if the first post.
"...Windows Security Center warning (stating WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passords. Do you want to learn how to protect your computer?)..."
When I click on this I get what looks like a Windows site page, with a link to buy an anti-spyware program (SpySheriff). I didn't look at the URL. I just click "No" every time it pops up now.
I would appreciate any help. This has been driving me crazy for two weeks now. I am tempted to just get a new HD and start over.
After reading a couple of the threads on your forum, I downloaded Hijack This. I will paste the log in a separate post.
(Part 1)
Logfile of HijackThis v1.99.1
Scan saved at 7:00:33 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\addnt32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\addnt32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\winfj32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Karen\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
(Part 2)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {516A362F-DE3A-94DC-5804-B13F008710B5} - C:\WINDOWS\system32\winao32.dll
O2 - BHO: Class - {6C6535B8-0E28-10F8-F18F-4A14786EF2AB} - C:\WINDOWS\winwi32.dll
O2 - BHO: Class - {6F3C448D-F236-C71F-D625-50ABA41C39B6} - C:\WINDOWS\system32\d3gd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D2B7BAA3-33AD-6C59-40FC-FCC46F8F765E} - C:\WINDOWS\apimv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [winfj32.exe] C:\WINDOWS\winfj32.exe
O4 - HKLM\..\Run: [sysne.exe] C:\WINDOWS\sysne.exe
O4 - HKLM\..\Run: [crgj.exe] C:\WINDOWS\crgj.exe
O4 - HKLM\..\Run: [javaod32.exe] C:\WINDOWS\javaod32.exe
O4 - HKLM\..\Run: [ntvq.exe] C:\WINDOWS\system32\ntvq.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [javayt32.exe] C:\WINDOWS\javayt32.exe
O4 - HKLM\..\Run: [javakb.exe] C:\WINDOWS\javakb.exe
O4 - HKLM\..\Run: [sdktw32.exe] C:\WINDOWS\system32\sdktw32.exe
O4 - HKLM\..\Run: [ntsk32.exe] C:\WINDOWS\system32\ntsk32.exe
O4 - HKLM\..\Run: [iewk32.exe] C:\WINDOWS\iewk32.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sdkfj32.exe] C:\WINDOWS\system32\sdkfj32.exe
O4 - HKLM\..\Run: [crbv.exe] C:\WINDOWS\system32\crbv.exe
O4 - HKLM\..\Run: [sysfx32.exe] C:\WINDOWS\sysfx32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\RunOnce: [addnt32.exe] C:\WINDOWS\addnt32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
classicsoftware
09-29-2005, 09:09 PM
I split your thread off into a new thread. To start one on your own. Go to any individual forum and there is a button at the top for a new thread.
You will need to turn off the tea timer or any fixes will be lost.
You will need to place Hijackthis in a permanent folder. Running it from the temp folder may make it harder to reverse any chnages if something goes wrong.
I'll start working on the log and get back to you soon.....
classicsoftware
09-30-2005, 12:10 AM
************************************************** ********
* READ THIS CAREFULLY. DO NOT FOLLOW THESE STEPS UNTIL THEY ARE *
* CONFIRMED BY ME OR BUDFRED. PLEASE WAIT FOR CONFIRMATION. *
* THERE IS ONE ITEM I AM CONCERNED ABOUT AND WOULD FEEL MORE *
* COMFORTABLE WITH A SECOND OPINION BEFORE RUNNING THESE STEPS *
************************************************** ********
1) Download this fix (http://securityresponse.symantec.com/avcenter/FxBlzFnd.exe) from Symantec. Run the fix.
2) Download CWSHREDDER (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41). Update and Run the program.
3) Load Hijack this and place a check next to:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {516A362F-DE3A-94DC-5804-B13F008710B5} - C:\WINDOWS\system32\winao32.dll
O2 - BHO: Class - {6C6535B8-0E28-10F8-F18F-4A14786EF2AB} - C:\WINDOWS\winwi32.dll
O2 - BHO: Class - {6F3C448D-F236-C71F-D625-50ABA41C39B6} - C:\WINDOWS\system32\d3gd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D2B7BAA3-33AD-6C59-40FC-FCC46F8F765E} - C:\WINDOWS\apimv.dll
O4 - HKLM\..\Run: [winfj32.exe] C:\WINDOWS\winfj32.exe
O4 - HKLM\..\Run: [sysne.exe] C:\WINDOWS\sysne.exe
O4 - HKLM\..\Run: [crgj.exe] C:\WINDOWS\crgj.exe
O4 - HKLM\..\Run: [javaod32.exe] C:\WINDOWS\javaod32.exe
O4 - HKLM\..\Run: [ntvq.exe] C:\WINDOWS\system32\ntvq.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [javayt32.exe] C:\WINDOWS\javayt32.exe
O4 - HKLM\..\Run: [javakb.exe] C:\WINDOWS\javakb.exe
O4 - HKLM\..\Run: [sdktw32.exe] C:\WINDOWS\system32\sdktw32.exe
O4 - HKLM\..\Run: [ntsk32.exe] C:\WINDOWS\system32\ntsk32.exe
O4 - HKLM\..\Run: [iewk32.exe] C:\WINDOWS\iewk32.exe
O4 - HKLM\..\Run: [sdkfj32.exe] C:\WINDOWS\system32\sdkfj32.exe
O4 - HKLM\..\Run: [crbv.exe] C:\WINDOWS\system32\crbv.exe
O4 - HKLM\..\Run: [sysfx32.exe] C:\WINDOWS\sysfx32.exe
O4 - HKLM\..\RunOnce: [addnt32.exe] C:\WINDOWS\addnt32.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Close all program and browser windows and click fix checked.
Re-boot and post a fresh log and tell us how the system is running.
************************************************** ********
* READ THIS CAREFULLY. DO NOT FOLLOW THESE STEPS UNTIL THEY ARE *
* CONFIRMED BY ME OR BUDFRED. PLEASE WAIT FOR CONFIRMATION. *
* THERE IS ONE ITEM I AM CONCERNED ABOUT AND WOULD FEEL MORE *
* COMFORTABLE WITH A SECOND OPINION BEFORE RUNNING THESE STEPS *
************************************************** ********
Budfred
09-30-2005, 07:28 AM
These don't need to be fixed:
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
And this does need to be fixed:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
Also, if you have the resident protection in MS AntiSpyware running, you need to turn it off before beginning the fixes so that it doesn't interfere... Turn it back on afterward...
Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Sorry it is taking so long to post. I am trying to do this in my very limited spare time.
I downloaded HijackThis to my desktop.
As for turning of the teatimer, would that be unchecking the "Resident" box in Spybot?
Then I am ready to try the fixes - Symantec fix, CWShredder, and HijackThis, right?
Budfred
10-02-2005, 06:02 PM
Here are instructions for turning off TeaTimer...
1) Run Spybot-S&D
2) Go to the Mode menu and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
Keep in mind that running 2 resident anti-spyware programs at the same time can cause conflicts...
I followed your steps - I was kind of scared to at first, but I did it. It went pretty smoothly. I have a few questons, though.
I ran the Symantec "fix", which I have done before, and it said that Adware.BlazeFind was not found on my computer.
Also, when I ran the CWShredder, it showed everything as not found or not present, and I got this message when it finished:
Done!
Your system was completely clean.
Windows XP (5.01.2600 SP2)
CWShredder v1.59.1
Written by Merijn - merijn@spywareinfo.com
For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/
For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywareinfo.com/~merijn/cwschronicles.html
For donations to help support CWShredder, visit:
http://www.spywareinfo.com/~merijn/donate.html
I went to check the boxes in HijackThis and the only problem I had was that I didn't find one of them:
O4 - HKLM\..\RunOnce: [addnt32.exe] C:\WINDOWS\addnt32.exe
I turned the Windows AntiSpyware settings back on, but not the Spybot TeaTimer. If there is a conflict when running both, the Windows one is a lot less annoying.
BHODemon ran at startup and found seven Malware files. Only one was enabled (appmy32.dll) & three said "file missing" They all listed CoolWebSearch/HomeSearch in the description.
I just ran Windows AntiSpyware and it found Adware.SearchPage, which it finds just about every time. (I don't think it ever found CoolWWWSearch)
Spybot started to run when I rebooted, but I stopped it because it takes so long. The good thing is, normally when I stop it, it has already found CoolWWWSearch and this time it didn't.
Also, I have not had a single pop-up or Windows AntiSpyware notification of attempted changes since I got back online. So far it seems to be running much better, except for the couple of things I mentioned.
One of the fixes (HijackThis?) said I might download a patch, WindowsXP SP1a or removesome kind of Windows java file - I can't remember the exact name. What would your recommendation be?
Thank you so much for your help. I have been fighting this for weeks now. I hope it is back to normal now.
Logfile of HijackThis v1.99.1
Scan saved at 10:12:19 PM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {10906011-F56B-D0FC-A5B8-30DA3C759364} - C:\WINDOWS\system32\appmy32.dll
O2 - BHO: Class - {2E1795BA-9C0A-FCDF-ADE0-49152ED82044} - C:\WINDOWS\system32\ntqv.dll
O2 - BHO: Class - {3FC6766B-1971-121F-63D0-CE5C593B0933} - C:\WINDOWS\system32\sysfj32.dll
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {7A962851-6247-10A7-D229-F24119B7ADA4} - C:\WINDOWS\nethn32.dll (file missing)
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} - C:\WINDOWS\winmx32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F20341B7-4D4B-5B61-38C8-74F9630B49F0} - C:\WINDOWS\system32\winis32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sdkhz32.exe] C:\WINDOWS\sdkhz32.exe
O4 - HKLM\..\Run: [mfcmt32.exe] C:\WINDOWS\mfcmt32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Budfred
10-05-2005, 01:01 AM
While you are waiting for classicsoftware to come by with the next fix... You do still have some CWS there.... Please run Ewido to see if that will kill it:
Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Do I need to post the ewido report? I will have to divide it into about 5 posts.
Logfile of HijackThis v1.99.1
Scan saved at 6:58:00 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panicware\Pop-Up Stopper
Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common
Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common
Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Panicware\Pop-Up Stopper Free
Edition\PSFree.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Works\wkswp.exe
c:\Program Files\Microsoft Works\MSWorks.exe
c:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http:\\my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window
Title = Microsoft Internet Explorer provided by Insight
Broadband
N2 - Netscape 6: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 C
searchplugins%5CSBWeb_01.src"); (C:\Documents and
Settings\Karen\Application
Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2E1795BA-9C0A-FCDF-ADE0-49152ED82044} -
C:\WINDOWS\system32\ntqv.dll
O2 - BHO: Class - {3FC6766B-1971-121F-63D0-CE5C593B0933} -
C:\WINDOWS\system32\sysfj32.dll
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} -
C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {7A962851-6247-10A7-D229-F24119B7ADA4} -
C:\WINDOWS\nethn32.dll (file missing)
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} -
C:\WINDOWS\winmx32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F20341B7-4D4B-5B61-38C8-74F9630B49F0} -
C:\WINDOWS\system32\winis32.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program
Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot -
Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sdkhz32.exe] C:\WINDOWS\sdkhz32.exe
O4 - HKLM\..\Run: [mfcmt32.exe] C:\WINDOWS\mfcmt32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program
Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon
2\BHODemon.exe
O4 - Global Startup: BigFix.lnk = C:\Program
Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search -
c:\program files\aol\aol toolbar
2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar -
{3369AF0D-62E9-4bda-8103-B4C75499B578} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - C:\Program
Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - C:\Program
Files\ICQ\ICQ.exe
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide -
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
[url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec
RuFSI Utility Class) -
[url]http://security.symantec.com/sscv6/SharedContent/common/bin/c[/url]
absa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
[url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/[/url]
x86/client/muweb_site.cab?1126214600187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave
Flash Object) -
[url]https://download.macromedia.com/pub/shockwave/cabs/flash/swfl[/url]
ash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat
Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui -
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America
Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. -
C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks
- C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer,
Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark
International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service
(navapsvc) - Symantec Corporation - C:\Program Files\Norton
AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service
(NPFMntor) - Symantec Corporation - C:\Program Files\Norton
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) -
Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper
Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program
Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
classicsoftware
10-05-2005, 11:33 PM
You really need to try to post this with word wrap off. It is impossible to read your log this way.
I'll get back to you shortly...
Budfred
10-06-2005, 12:08 AM
You don't need to post the Ewido log if you allowed it to fix everything it found, but hold on to it in case we need it later...
classicsoftware
10-06-2005, 01:08 AM
First: Download and install CWSHREDDER (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41) Make sure you update it to the latest version.
Next Download and Install About Buster (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41) Make sure you update this also.
Next boot into safe mode:
1) Run CWSHREDDER
2) Run About Buster twice.
3) Load HJT and place a check next to the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\cuycn.dll/sp.html#37049
O2 - BHO: Class - {2E1795BA-9C0A-FCDF-ADE0-49152ED82044} -
C:\WINDOWS\system32\ntqv.dll
02 - BHO: Class - {3FC6766B-1971-121F-63D0-CE5C593B0933} -
C:\WINDOWS\system32\sysfj32.dll
O2 - BHO: Class - {3FC6766B-1971-121F-63D0-CE5C593B0933} -
C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {7A962851-6247-10A7-D229-F24119B7ADA4} -
C:\WINDOWS\nethn32.dll (file missing)
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} -
C:\WINDOWS\winmx32.dll (file missing)
O2 - BHO: Class - {F20341B7-4D4B-5B61-38C8-74F9630B49F0} -
C:\WINDOWS\system32\winis32.dll
O4 - HKLM\..\Run: [sdkhz32.exe] C:\WINDOWS\sdkhz32.exe
O4 - HKLM\..\Run: [mfcmt32.exe] C:\WINDOWS\mfcmt32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all program and browser windows excpt HJT and click fix checked.
Re-boot into normal mode and delete the following:
C:\WINDOWS\sdkhz32.exe
C:\WINDOWS\mfcmt32.exe
C:\WINDOWS\system32\winis32.dll
C:\WINDOWS\system32\sysfj32.dll
C:\WINDOWS\system32\ntqv.dll
C:\WINDOWS\system32\cuycn.dll
You may have to show hidden (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) files.
Re-boot and post a fresh HJT log.
Budfred
10-06-2005, 01:18 AM
Sorry to contradict, but DON'T update AboutBuster if you can download it... The author is having problems with the update site right now and it will break it if you try to update... I would also run Ewido again before the HJT fixes...
I ran the CWShredder and AboutBuster in Safe Mode before I noticed the suggestion to run ewido again. I did not let it fix everything the first time until I was sure. Some of the files were cookies and some were in "quarantine".
There were six files I didn't find when I ran HijackThis. Four of them were similar, and I was pretty sure I should check them, but I figured I'd better wait and find out for sure. The only difference was "korfk" instead of "cuycn". I noticed when I restarted, Windows AntiSpyware popped up saying these same files were trying to change from "korfk" to something else.
I didn't find either of the ones starting 06-HKCU...
Should I run ewido from Safe Mode also?
Logfile of HijackThis v1.99.1
Scan saved at 6:04:09 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F229039-6F6E-8545-7436-798A698742A9} - C:\WINDOWS\msod32.dll
O2 - BHO: Class - {1F565452-33A1-FAF1-92CC-B3819646C738} - C:\WINDOWS\system32\msbs32.dll
O2 - BHO: Class - {2E1795BA-9C0A-FCDF-ADE0-49152ED82044} - C:\WINDOWS\system32\ntqv.dll
O2 - BHO: Class - {3FC6766B-1971-121F-63D0-CE5C593B0933} - C:\WINDOWS\system32\sysfj32.dll
O2 - BHO: Class - {4005C68E-E6A6-3DC8-CE42-5C3DFA9ACA22} - C:\WINDOWS\javaml.dll
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\sysig.dll
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {7A962851-6247-10A7-D229-F24119B7ADA4} - C:\WINDOWS\nethn32.dll (file missing)
O2 - BHO: Class - {A1D24CBA-FEB6-5BD6-ABE5-BD9E36A20FCD} - C:\WINDOWS\system32\sdkpf32.dll
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} - C:\WINDOWS\winmx32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C4843FF7-AE70-BF42-6057-827D9D3007CE} - C:\WINDOWS\apika32.dll
O2 - BHO: Class - {F20341B7-4D4B-5B61-38C8-74F9630B49F0} - C:\WINDOWS\system32\winis32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sdkhz32.exe] C:\WINDOWS\sdkhz32.exe
O4 - HKLM\..\Run: [mfcmt32.exe] C:\WINDOWS\mfcmt32.exe
O4 - HKLM\..\Run: [javamh32.exe] C:\WINDOWS\javamh32.exe
O4 - HKLM\..\RunOnce: [addvq32.exe] C:\WINDOWS\system32\addvq32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
classicsoftware
10-07-2005, 11:21 PM
When you installed CWSHREDDER, did you download and install ALL of the updates. I can't beleive it came up clean.
Let's try safe mode again:
Run The Ewido Scan
Run About Buster twice.
Open HJT and fix the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\korfk.dll/sp.html#37049
O2 - BHO: Class - {1F229039-6F6E-8545-7436-798A698742A9} - C:\WINDOWS\msod32.dll
O2 - BHO: Class - {1F565452-33A1-FAF1-92CC-B3819646C738} - C:\WINDOWS\system32\msbs32.dll
O2 - BHO: Class - {2E1795BA-9C0A-FCDF-ADE0-49152ED82044} - C:\WINDOWS\system32\ntqv.dll
O2 - BHO: Class - {3FC6766B-1971-121F-63D0-CE5C593B0933} - C:\WINDOWS\system32\sysfj32.dll
O2 - BHO: Class - {4005C68E-E6A6-3DC8-CE42-5C3DFA9ACA22} - C:\WINDOWS\javaml.dll
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\sysig.dll
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {7A962851-6247-10A7-D229-F24119B7ADA4} - C:\WINDOWS\nethn32.dll (file missing)
O2 - BHO: Class - {A1D24CBA-FEB6-5BD6-ABE5-BD9E36A20FCD} - C:\WINDOWS\system32\sdkpf32.dll
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} - C:\WINDOWS\winmx32.dll (file missing)
O2 - BHO: Class - {C4843FF7-AE70-BF42-6057-827D9D3007CE} - C:\WINDOWS\apika32.dll
O2 - BHO: Class - {F20341B7-4D4B-5B61-38C8-74F9630B49F0} - C:\WINDOWS\system32\winis32.dll
O4 - HKLM\..\Run: [sdkhz32.exe] C:\WINDOWS\sdkhz32.exe
O4 - HKLM\..\Run: [mfcmt32.exe] C:\WINDOWS\mfcmt32.exe
O4 - HKLM\..\Run: [javamh32.exe] C:\WINDOWS\javamh32.exe
O4 - HKLM\..\RunOnce: [addvq32.exe] C:\WINDOWS\system32\addvq32.exe
Re-boot and post a new HJT log and the contents of the four abour buster logs. Two from the first fix and two from this fix. This should be done by now.
I did install updates, but the last time I ran it in Safe mode, it said the server was unavailable. I just finished running CWShredder, AboutBuster (2x), ewido, and HijackThis in Safe Mode.
CWShredder always comes up clean. The others always find something. Ewido finds things in Panicware & HijackThis quarantines & backups. Should I remove them?
I will post the HijackThis log I just finished.
Logfile of HijackThis v1.99.1
Scan saved at 10:47:10 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winrt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\WINDOWS\sysfa32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F229039-6F6E-8545-7436-798A698742A9} - C:\WINDOWS\msod32.dll
O2 - BHO: Class - {1F565452-33A1-FAF1-92CC-B3819646C738} - C:\WINDOWS\system32\msbs32.dll
O2 - BHO: Class - {4005C68E-E6A6-3DC8-CE42-5C3DFA9ACA22} - C:\WINDOWS\javaml.dll
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\sysig.dll
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {A1D24CBA-FEB6-5BD6-ABE5-BD9E36A20FCD} - C:\WINDOWS\system32\sdkpf32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C4843FF7-AE70-BF42-6057-827D9D3007CE} - C:\WINDOWS\apika32.dll
O2 - BHO: Class - {DD4FB04F-8E1A-6818-993B-3C489CB8A5FF} - C:\WINDOWS\system32\javaib32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sysfa32.exe] C:\WINDOWS\sysfa32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winrt.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:27:24 PM, 10/7/2005
+ Report-Checksum: 6287AE4B
+ Scan result:
C:\Program Files\HijackThis\backups\backup-20051007-181109-729.dll -> TrojanDownloader.Agent.bc : Ignored
C:\Program Files\HijackThis\backups\backup-20051007-181110-321.dll -> TrojanDownloader.Agent.bc : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-572954322-3641751640-2274663287-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{0391ACDF-A5AE-402C-8081-B44F1E7ED505} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{249D1788-88C5-4656-854A-B13C6801839E} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{2EAF08B9-6E51-47AF-B2DB-C241363F8120} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{4001AD0D-698D-4B59-AE6C-E16C679407B2} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{5E852281-397D-4463-AC96-4B3689ADB6B3} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{AB723357-A607-43B8-9F26-FAF8377ECEAB} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-13-2005 - 12-33-02.SBU/{87A4E4DF-ABA6-46C1-ADCE-95229FA18275} -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{0501D588-35F3-4CA5-8E84-D3426EC1868E} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{06DD07AE-CE19-4BA0-9BF9-5A6C338A5576} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{16065B5B-5A0F-4556-84FC-C95C7CEC7614} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{168C8EDB-DA7E-4E5F-8B09-EE77BA2C6215} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{187FF945-289A-40F8-8D0C-92F92574DA6D} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{1FB74E3B-2D6E-4BA4-90F2-E6FC4BEE95C2} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{295A63AF-BCF0-43B3-BE45-4123DF0C6B7B} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{35A272E9-4644-43F6-ABBB-BEEE2F38054E} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{3A80E3A7-7E4E-4981-8D1A-2F35A244E4FF} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{4156FD52-D2B1-47DA-B8C8-2A3193505F5A} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{4614F12B-203A-45E9-8AD2-08E43640F42E} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{485FA69F-0F11-4FF2-8626-ED6E8D78BADA} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{5A9E3802-3482-46BE-AAB5-962FB48EA955} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{5C2CC40F-626B-4BC7-BC5D-44143FAD4F9D} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{69D48C54-1061-42C4-A29D-5EEE4088BCEF} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{9C6762C5-05C4-4B94-81E7-331452B53608} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{A67BF81C-43B1-47FC-A6BA-D095E2452524} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{B3A701E3-7885-4671-BE1D-3F6A7F1C1F37} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{C631F302-74AF-4EF1-AD45-BE3DD29F1325} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{D66081A2-EC1B-4065-A282-AAD979F08C1D} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{DF8CBDDD-41B2-49D8-B702-4C117515E4D2} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{FD04F033-D248-4CB3-9006-B9274EDD15E1} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{FD34AD99-3F14-4968-BDD6-DB6A377B2FE2} -> TrojanDownloader.Agent.bq : Error during cleaning
C:\WINDOWS\puzql.dat:ctwpfd -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\win.ini:xnuent -> Spyware.SearchPage : Cleaned with backup
::Report End
classicsoftware
10-08-2005, 09:30 AM
We are going around in circles. Please tell me if you attempted to update about buster. Also you need to post the about buster logs.
Once we know this, we can attack it differently. At this point. DO NOT re-boot until we tell you too as this morphs each time we re-boot.
I did not try tp update AboutBuster.
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [5:52:11 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\awwmw.dat
Removed File! : C:\Windows\bhrvj.dat
Removed File! : C:\Windows\bqzqk.dat
Removed File! : C:\Windows\cnfnv.dat
Removed File! : C:\Windows\coyaz.dat
Removed File! : C:\Windows\depnp.dat
Removed File! : C:\Windows\duyjk.dat
Removed File! : C:\Windows\gevad.dat
Removed File! : C:\Windows\gfupd.dat
Removed File! : C:\Windows\hpdgb.dat
Removed File! : C:\Windows\iyiop.dat
Removed File! : C:\Windows\jcgfl.dat
Removed File! : C:\Windows\juscy.dat
Removed File! : C:\Windows\kkbbq.dat
Removed File! : C:\Windows\limga.dat
Removed File! : C:\Windows\lqyrn.dat
Removed File! : C:\Windows\mpqog.dat
Removed File! : C:\Windows\ntevu.dll
Removed File! : C:\Windows\okqsf.dat
Removed File! : C:\Windows\qezqn.dat
Removed File! : C:\Windows\rzotj.dat
Removed File! : C:\Windows\sqwqp.dat
Removed File! : C:\Windows\tyolk.dat
Removed File! : C:\Windows\xmamj.dat
Removed File! : C:\Windows\xtijk.dat
Removed File! : C:\Windows\yvkcn.dat
Removed File! : C:\Windows\zcdlq.dat
Removed File! : C:\Windows\System32\addog.exe
Removed File! : C:\Windows\System32\atlph.exe
Removed File! : C:\Windows\System32\avjvz.dat
Removed File! : C:\Windows\System32\bgmau.dat
Removed File! : C:\Windows\System32\crrl.exe
Removed File! : C:\Windows\System32\dqetj.dat
Removed File! : C:\Windows\System32\hfsja.dat
Removed File! : C:\Windows\System32\hmtlf.dat
Removed File! : C:\Windows\System32\ieku32.exe
Removed File! : C:\Windows\System32\igsna.dat
Removed File! : C:\Windows\System32\iqfxg.dat
Removed File! : C:\Windows\System32\kawzu.dat
Removed File! : C:\Windows\System32\korfk.dll
Removed File! : C:\Windows\System32\kpsjl.dat
Removed File! : C:\Windows\System32\kwilc.dat
Removed File! : C:\Windows\System32\mxcfm.dat
Removed File! : C:\Windows\System32\nhkyr.dat
Removed File! : C:\Windows\System32\ntzg.exe
Removed File! : C:\Windows\System32\pkzkc.dat
Removed File! : C:\Windows\System32\qggbd.dat
Removed File! : C:\Windows\System32\qhxmm.dll
Removed File! : C:\Windows\System32\qscwx.dat
Removed File! : C:\Windows\System32\sysve32.exe
Removed File! : C:\Windows\System32\vffqw.dat
Removed File! : C:\Windows\System32\wmnwy.dll
Removed File! : C:\Windows\System32\xgvhk.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:54:16 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [6:01:34 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:02:53 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [9:23:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\System32\wzkmb.dll
Removed File! : C:\Windows\System32\zuidy.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:25:29 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [9:25:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:27:12 PM
classicsoftware
10-09-2005, 12:02 AM
See if you can see this file that shows in the log as:
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winrt.exe" /s (file missing)
Rt click on the task bar and select task manager. Look under processes and see if this is running. Also look for the bizarre files we have been taking the ones with random letters.
If they are there, we will have to kll the processes before we apply the fixes as this is regenerating as soon as we kill it.
Please let us know what you find and we will finally kill this beast for you.
Budfred
10-09-2005, 01:32 AM
For this item, it would be a good idea to turn it off first and then fix it with HJT...
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winrt.exe" /s (file missing)
Go to Control Panel, Administrative Tools and select Services... Find Network Security Service and Stop it, then Disable it...
Open HJT and fix that line... Then proceed with classicsoftware's instructions... I would run the whole fix again in Safe Mode as well... That would include these HJT fixes in addition to running CWShredder, AboutBuster and Ewido again...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zuidy.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1F229039-6F6E-8545-7436-798A698742A9} - C:\WINDOWS\msod32.dll
O2 - BHO: Class - {1F565452-33A1-FAF1-92CC-B3819646C738} - C:\WINDOWS\system32\msbs32.dll
O2 - BHO: Class - {4005C68E-E6A6-3DC8-CE42-5C3DFA9ACA22} - C:\WINDOWS\javaml.dll
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\sysig.dll
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {A1D24CBA-FEB6-5BD6-ABE5-BD9E36A20FCD} - C:\WINDOWS\system32\sdkpf32.dll
O2 - BHO: Class - {C4843FF7-AE70-BF42-6057-827D9D3007CE} - C:\WINDOWS\apika32.dll
O2 - BHO: Class - {DD4FB04F-8E1A-6818-993B-3C489CB8A5FF} - C:\WINDOWS\system32\javaib32.dll
O4 - HKLM\..\Run: [sysfa32.exe] C:\WINDOWS\sysfa32.exe
Then find and delete these files:
C:\WINDOWS\sysfa32.exe
C:\WINDOWS\winrt.exe
Report in detail about any problem you had following these instructions...
I didn't try to update AboutBuster.
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [5:52:11 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\awwmw.dat
Removed File! : C:\Windows\bhrvj.dat
Removed File! : C:\Windows\bqzqk.dat
Removed File! : C:\Windows\cnfnv.dat
Removed File! : C:\Windows\coyaz.dat
Removed File! : C:\Windows\depnp.dat
Removed File! : C:\Windows\duyjk.dat
Removed File! : C:\Windows\gevad.dat
Removed File! : C:\Windows\gfupd.dat
Removed File! : C:\Windows\hpdgb.dat
Removed File! : C:\Windows\iyiop.dat
Removed File! : C:\Windows\jcgfl.dat
Removed File! : C:\Windows\juscy.dat
Removed File! : C:\Windows\kkbbq.dat
Removed File! : C:\Windows\limga.dat
Removed File! : C:\Windows\lqyrn.dat
Removed File! : C:\Windows\mpqog.dat
Removed File! : C:\Windows\ntevu.dll
Removed File! : C:\Windows\okqsf.dat
Removed File! : C:\Windows\qezqn.dat
Removed File! : C:\Windows\rzotj.dat
Removed File! : C:\Windows\sqwqp.dat
Removed File! : C:\Windows\tyolk.dat
Removed File! : C:\Windows\xmamj.dat
Removed File! : C:\Windows\xtijk.dat
Removed File! : C:\Windows\yvkcn.dat
Removed File! : C:\Windows\zcdlq.dat
Removed File! : C:\Windows\System32\addog.exe
Removed File! : C:\Windows\System32\atlph.exe
Removed File! : C:\Windows\System32\avjvz.dat
Removed File! : C:\Windows\System32\bgmau.dat
Removed File! : C:\Windows\System32\crrl.exe
Removed File! : C:\Windows\System32\dqetj.dat
Removed File! : C:\Windows\System32\hfsja.dat
Removed File! : C:\Windows\System32\hmtlf.dat
Removed File! : C:\Windows\System32\ieku32.exe
Removed File! : C:\Windows\System32\igsna.dat
Removed File! : C:\Windows\System32\iqfxg.dat
Removed File! : C:\Windows\System32\kawzu.dat
Removed File! : C:\Windows\System32\korfk.dll
Removed File! : C:\Windows\System32\kpsjl.dat
Removed File! : C:\Windows\System32\kwilc.dat
Removed File! : C:\Windows\System32\mxcfm.dat
Removed File! : C:\Windows\System32\nhkyr.dat
Removed File! : C:\Windows\System32\ntzg.exe
Removed File! : C:\Windows\System32\pkzkc.dat
Removed File! : C:\Windows\System32\qggbd.dat
Removed File! : C:\Windows\System32\qhxmm.dll
Removed File! : C:\Windows\System32\qscwx.dat
Removed File! : C:\Windows\System32\sysve32.exe
Removed File! : C:\Windows\System32\vffqw.dat
Removed File! : C:\Windows\System32\wmnwy.dll
Removed File! : C:\Windows\System32\xgvhk.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:54:16 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [6:01:34 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:02:53 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [9:23:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\System32\wzkmb.dll
Removed File! : C:\Windows\System32\zuidy.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:25:29 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [9:25:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:27:12 PM
Budfred
10-09-2005, 06:07 PM
This is an exact duplicate of the post you posted two days ago... What is going on now??
Sorry. I got on today and didn't see my post, so I posted it again.
winrt.exe was running when I looked in Task Manager. After stopping it in Admin Tools, it tried to start up, but I blocked it with Windows AntiSpyware. I did not see it when I ran HJT.
I have no idea what a lot of processes running are. I stopped a two of them.
sysfa32.exe
apkvn32.exe (I'm not sure I remember that one right)
I am getting ready to run all the fixes in Safe Mode.
I ran all the fixes in Safe Mode. (I know you said not to reboot, but I had to so I could get online & post - should I be able to connect from Safe Mode?)
CWShredder came up clean.
AboutBuster was clean.
ewido found 33 problems and fixed all of them. I checked to remove the ones in Panicware's quarantine this time.
HJT- none of the "R1-..." entries were there.
I checked and fixed all the others and deleted the two files. While I was looking for those two, I found a lot of others that looked suspicious (from what little I know). I started writing them down, but there were so many I just wrote down the starting letters:
add
api
app
atl
cr
d3
ie
java
mfc
ms
net
nt
these I wrote down the whole name, if you want them:
sdk
sys
win
When I restarted, Windows AntiSpyware notified me that "apivn32" was trying to start. I blocked it but it started anyway. I ended it in Task Manager, but it comes right back up. I also ended "apptj". It did not start back up. winrt was not there.
I am sorry to be such trouble about this. The only thing I am worried about is online security, since I do most of my bill paying, etc. online. If I can't get this fixed, is there a big risk to my information using the computer like it is. I can live with the annoying stuff if I have to.
classicsoftware
10-09-2005, 11:01 PM
Give us a Hijckthis log and we can see what is going on.
Budfred
10-09-2005, 11:05 PM
You are going to need to change all your passwords and probably it would be good to contact any bank or credit company that you do business with and have used those numbers on the web... Wait until you are clean to do the password changes or they will just collect the new info... Go ahead and contact the banks and such ASAP...
We can get this cleaned up... Part of the problem may actually be that you are running MS AntiSpyware... It can restore programs after they have been fixed... We need to see a fresh HJT log to see what to do next... It would be helpful if you could post the latest AboutBuster and Ewido logs as well... Here are instructions for turning MS Antispyware off, but don't use them until we are ready for the next step...
Logfile of HijackThis v1.99.1
Scan saved at 7:54:31 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F229039-6F6E-8545-7436-798A698742A9} - C:\WINDOWS\msod32.dll (file missing)
O2 - BHO: Class - {1F565452-33A1-FAF1-92CC-B3819646C738} - C:\WINDOWS\system32\msbs32.dll (file missing)
O2 - BHO: Class - {3FF4DC00-DFBF-5AF6-26C7-ADA5FDD1BA63} - C:\WINDOWS\system32\sdklt32.dll
O2 - BHO: Class - {4005C68E-E6A6-3DC8-CE42-5C3DFA9ACA22} - C:\WINDOWS\javaml.dll (file missing)
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\sysig.dll (file missing)
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {A1D24CBA-FEB6-5BD6-ABE5-BD9E36A20FCD} - C:\WINDOWS\system32\sdkpf32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C4843FF7-AE70-BF42-6057-827D9D3007CE} - C:\WINDOWS\apika32.dll (file missing)
O2 - BHO: Class - {DD4FB04F-8E1A-6818-993B-3C489CB8A5FF} - C:\WINDOWS\system32\javaib32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sysfa32.exe] C:\WINDOWS\sysfa32.exe
O4 - HKLM\..\RunOnce: [apivn32.exe] C:\WINDOWS\system32\apivn32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:53:57 PM, 10/9/2005
+ Report-Checksum: 35A8B0AE
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{0391ACDF-A5AE-402C-8081-B44F1E7ED505} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{249D1788-88C5-4656-854A-B13C6801839E} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{2EAF08B9-6E51-47AF-B2DB-C241363F8120} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{4001AD0D-698D-4B59-AE6C-E16C679407B2} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{5E852281-397D-4463-AC96-4B3689ADB6B3} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-12-2005 - 21-27-13.SBU/{AB723357-A607-43B8-9F26-FAF8377ECEAB} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-13-2005 - 12-33-02.SBU/{87A4E4DF-ABA6-46C1-ADCE-95229FA18275} -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{0501D588-35F3-4CA5-8E84-D3426EC1868E} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{06DD07AE-CE19-4BA0-9BF9-5A6C338A5576} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{16065B5B-5A0F-4556-84FC-C95C7CEC7614} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{168C8EDB-DA7E-4E5F-8B09-EE77BA2C6215} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{187FF945-289A-40F8-8D0C-92F92574DA6D} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{1FB74E3B-2D6E-4BA4-90F2-E6FC4BEE95C2} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{295A63AF-BCF0-43B3-BE45-4123DF0C6B7B} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{35A272E9-4644-43F6-ABBB-BEEE2F38054E} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{3A80E3A7-7E4E-4981-8D1A-2F35A244E4FF} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{4156FD52-D2B1-47DA-B8C8-2A3193505F5A} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{4614F12B-203A-45E9-8AD2-08E43640F42E} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{485FA69F-0F11-4FF2-8626-ED6E8D78BADA} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{5A9E3802-3482-46BE-AAB5-962FB48EA955} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{5C2CC40F-626B-4BC7-BC5D-44143FAD4F9D} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{69D48C54-1061-42C4-A29D-5EEE4088BCEF} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{9C6762C5-05C4-4B94-81E7-331452B53608} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{A67BF81C-43B1-47FC-A6BA-D095E2452524} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{B3A701E3-7885-4671-BE1D-3F6A7F1C1F37} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{C631F302-74AF-4EF1-AD45-BE3DD29F1325} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{D66081A2-EC1B-4065-A282-AAD979F08C1D} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{DF8CBDDD-41B2-49D8-B702-4C117515E4D2} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{FD04F033-D248-4CB3-9006-B9274EDD15E1} -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 09-15-2005 - 19-08-59.SBU/{FD34AD99-3F14-4968-BDD6-DB6A377B2FE2} -> TrojanDownloader.Agent.bq : Cleaned with backup
::Report End
I already posted this, but I don't see it. I hope it doesn't show up twice.
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [5:52:11 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\awwmw.dat
Removed File! : C:\Windows\bhrvj.dat
Removed File! : C:\Windows\bqzqk.dat
Removed File! : C:\Windows\cnfnv.dat
Removed File! : C:\Windows\coyaz.dat
Removed File! : C:\Windows\depnp.dat
Removed File! : C:\Windows\duyjk.dat
Removed File! : C:\Windows\gevad.dat
Removed File! : C:\Windows\gfupd.dat
Removed File! : C:\Windows\hpdgb.dat
Removed File! : C:\Windows\iyiop.dat
Removed File! : C:\Windows\jcgfl.dat
Removed File! : C:\Windows\juscy.dat
Removed File! : C:\Windows\kkbbq.dat
Removed File! : C:\Windows\limga.dat
Removed File! : C:\Windows\lqyrn.dat
Removed File! : C:\Windows\mpqog.dat
Removed File! : C:\Windows\ntevu.dll
Removed File! : C:\Windows\okqsf.dat
Removed File! : C:\Windows\qezqn.dat
Removed File! : C:\Windows\rzotj.dat
Removed File! : C:\Windows\sqwqp.dat
Removed File! : C:\Windows\tyolk.dat
Removed File! : C:\Windows\xmamj.dat
Removed File! : C:\Windows\xtijk.dat
Removed File! : C:\Windows\yvkcn.dat
Removed File! : C:\Windows\zcdlq.dat
Removed File! : C:\Windows\System32\addog.exe
Removed File! : C:\Windows\System32\atlph.exe
Removed File! : C:\Windows\System32\avjvz.dat
Removed File! : C:\Windows\System32\bgmau.dat
Removed File! : C:\Windows\System32\crrl.exe
Removed File! : C:\Windows\System32\dqetj.dat
Removed File! : C:\Windows\System32\hfsja.dat
Removed File! : C:\Windows\System32\hmtlf.dat
Removed File! : C:\Windows\System32\ieku32.exe
Removed File! : C:\Windows\System32\igsna.dat
Removed File! : C:\Windows\System32\iqfxg.dat
Removed File! : C:\Windows\System32\kawzu.dat
Removed File! : C:\Windows\System32\korfk.dll
Removed File! : C:\Windows\System32\kpsjl.dat
Removed File! : C:\Windows\System32\kwilc.dat
Removed File! : C:\Windows\System32\mxcfm.dat
Removed File! : C:\Windows\System32\nhkyr.dat
Removed File! : C:\Windows\System32\ntzg.exe
Removed File! : C:\Windows\System32\pkzkc.dat
Removed File! : C:\Windows\System32\qggbd.dat
Removed File! : C:\Windows\System32\qhxmm.dll
Removed File! : C:\Windows\System32\qscwx.dat
Removed File! : C:\Windows\System32\sysve32.exe
Removed File! : C:\Windows\System32\vffqw.dat
Removed File! : C:\Windows\System32\wmnwy.dll
Removed File! : C:\Windows\System32\xgvhk.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:54:16 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [6:01:34 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:02:53 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [9:23:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\System32\wzkmb.dll
Removed File! : C:\Windows\System32\zuidy.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:25:29 PM
AboutBuster 5.0 reference file 31
Scan started on [10/7/2005] at [9:25:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:27:12 PM
AboutBuster 5.0 reference file 31
Scan started on [10/9/2005] at [6:39:19 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:40:54 PM
AboutBuster 5.0 reference file 31
Scan started on [10/9/2005] at [6:51:35 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:52:48 PM
classicsoftware
10-10-2005, 11:08 PM
First shut down the following if they show in applications or processes:
sysfa32.exe
apivn32.exe
then:
Open Hijackthis and place a check next to the following:
O2 - BHO: Class - {1F229039-6F6E-8545-7436-798A698742A9} - C:\WINDOWS\msod32.dll (file missing)
O2 - BHO: Class - {1F565452-33A1-FAF1-92CC-B3819646C738} - C:\WINDOWS\system32\msbs32.dll (file missing)
O2 - BHO: Class - {3FF4DC00-DFBF-5AF6-26C7-ADA5FDD1BA63} - C:\WINDOWS\system32\sdklt32.dll
O2 - BHO: Class - {4005C68E-E6A6-3DC8-CE42-5C3DFA9ACA22} - C:\WINDOWS\javaml.dll (file missing)
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\sysig.dll (file missing)
O2 - BHO: Class - {61C95AAB-1F56-A3EB-D50A-5DEAB6FA3B48} - C:\WINDOWS\system32\crbf.dll (file missing)
O2 - BHO: Class - {A1D24CBA-FEB6-5BD6-ABE5-BD9E36A20FCD} - C:\WINDOWS\system32\sdkpf32.dll (file missing)
O2 - BHO: Class - {C4843FF7-AE70-BF42-6057-827D9D3007CE} - C:\WINDOWS\apika32.dll (file missing)
O2 - BHO: Class - {DD4FB04F-8E1A-6818-993B-3C489CB8A5FF} - C:\WINDOWS\system32\javaib32.dll (file missing)
O4 - HKLM\..\Run: [sysfa32.exe] C:\WINDOWS\sysfa32.exe
O4 - HKLM\..\RunOnce: [apivn32.exe] C:\WINDOWS\system32\apivn32.exe
Close all open browser and program windows Except HJT and click fix checked.
Re-boot and post a new HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 4:39:10 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sdkue.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\apptj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: Class - {0664BE2E-CCA3-0F0E-86A7-E0ABFA0E5932} - C:\WINDOWS\system32\ntne32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1D0E04D5-6A8C-E6CF-283E-D25418CADEF9} - C:\WINDOWS\system32\msyk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [apptj.exe] C:\WINDOWS\system32\apptj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkue.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I think I am about ready to give this up. My homepage is getting hijacked every time I open a window & I'm getting pop-ups again. We have wasted so many hours on this.
Isn't there anything illegal about what these CWS people are doing? It would be nice to be able to make them pay us for all those hours - and just buy me a new computer!
I think I will take this computer offline until I can figure something out - maybe just get a new hard drive.
I will still check back from another computer.
Thanks so much for all your time & help.
classicsoftware
10-11-2005, 10:21 PM
Don't give up yet, you actually almost done.......
classicsoftware
10-11-2005, 10:29 PM
The following processes need to be killed or stopped:
C:\WINDOWS\system32\sdkue.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\apptj.exe
C:\WINDOWS\system32\sdkue.exe
Then load HJT and fix:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0664BE2E-CCA3-0F0E-86A7-E0ABFA0E5932} - C:\WINDOWS\system32\ntne32.dll
O2 - BHO: Class - {1D0E04D5-6A8C-E6CF-283E-D25418CADEF9} - C:\WINDOWS\system32\msyk.dll
O4 - HKLM\..\Run: [apptj.exe] C:\WINDOWS\system32\apptj.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkue.exe" /s (file missing)
In the mean time, use Firefox as your browser....
This is what I got after the fixes.
Logfile of HijackThis v1.99.1
Scan saved at 8:40:50 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BigFix\BigFix.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I used Windows AntiSpyware to reset the browser pages. Then got this:
Logfile of HijackThis v1.99.1
Scan saved at 8:44:05 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BigFix\BigFix.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
So far (after this) no pop-ups or hijackings.
classicsoftware
10-13-2005, 11:23 PM
Your log looks clean. I'm sure Budfred will look it over andd I hope he agrees.
Now we need to do some preventive work to keep the system clean.
Switch to the Fox: Use Firefox (http://www.mozilla.org/products/firefox/) as your web Browser. It is faster than IE and it is safer. If you install the Noscript extension you will really be safe.
Use SpywareBlaster: Javacool Software makes an amazing product called SpywareBlaster. (http://www.javacoolsoftware.com/sbdownload.html) It takes up no memory and it works like a charm. Download it and keep it updated.
Get a real Firewall: The NIS firewall does not work well in my experience. You will be better off with Sygate (http://www.sygate.com/firewall/) or Kerio (http://www.kerio.com/kpf_download.html)
Anti-Virus Software: Keep it up to date and scan often.
Use IE-Spyadds: If you stick with IE, it is imperative you use IESpyads (https://netfiles.uiuc.edu/ehowes/www/resource.htm)
OS Update: Keep your OS up to date. Either turn on Automatic update or run Windows Update at leat oncer per month to get all of the updates.
Budfred
10-13-2005, 11:55 PM
The log looks pretty good to me... are you having any more problems??
I haven't had any hijacking or pop-up problems.
NAV found four items when in scanned earlier today. Two were HijackThis backups.These were the other two:
C:\WINDOWS\system32\iert32.dll
C:\WINDOWS\system32\ntgt32.dll
Windows AntiSpyware didn't find anything the last couple of times it ran. Spybot is running right now.
I do the Windows Auto Update & I already have SpywareBlaster, but when I just checked it, under Restricted Sites it said 700+ things were disabled. It usually says "0". I updated and enabled everything.
I downloaded Firefox yesterday & I will try a different firewall.
I have a broadband connection. Do I need to do something with IE, or just start using Firefox? I keep clicking on the IE icon out of habit.
(Spybot just finished and it says it found these problems. It says it fixed them all except the first one & will run on restart.)
CoolWWWSearch.Feat2Installer (4)
CoolWWWSearch.SearchKlick (2)
DoubleClick (2)
Trek Blue Error Nuker (3)
I can't thank you guys enough for your help.
Budfred
10-14-2005, 11:30 PM
If Spybot is saying you still have CWS, it would be a good idea to post a fresh HJT log after reboot... It might also be a good idea to run a MWavScan to see if there is anything else that we are missing:
Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...
http://www.mwti.net/products/mwav/mwav.asp
It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...
If you are clicking the IE icon accidentally, you can simply remove it from your Desktop... It won't effect the actual program...
It was extremely long. I have to divide it up. I used these settings because that was what was checked when I started the program:
Sat Oct 15 15:57:47 2005 => Options Selected by User:
Sat Oct 15 15:57:47 2005 => Memory Check: Enabled
Sat Oct 15 15:57:47 2005 => Registry Check: Enabled
Sat Oct 15 15:57:47 2005 => StartUp Folder Check: Enabled
Sat Oct 15 15:57:47 2005 => System Folder Check: Enabled
Sat Oct 15 15:57:47 2005 => System Area Check: Disabled
Sat Oct 15 15:57:47 2005 => Services Check: Enabled
Sat Oct 15 15:57:47 2005 => Drive Check Option Disabled
Sat Oct 15 15:57:47 2005 => Folder Check: Disabled
This was toward the end:
Sat Oct 15 16:15:07 2005 => ***** Scanning complete. *****
Sat Oct 15 16:15:07 2005 => Total Objects Scanned: 43879
Sat Oct 15 16:15:07 2005 => Total Virus(es) Found: 108
Sat Oct 15 16:15:07 2005 => Total Disinfected Files: 0
Sat Oct 15 16:15:07 2005 => Total Files Renamed: 0
Sat Oct 15 16:15:07 2005 => Total Deleted Objects: 0
Sat Oct 15 16:15:07 2005 => Total Errors: 3550
Sat Oct 15 16:15:07 2005 => Time Elapsed: 00:17:20
Sat Oct 15 16:15:07 2005 => Virus Database Date: 2005/10/08
Sat Oct 15 16:15:07 2005 => Virus Database Count: 152936
I am not sure if this is what you want. There were a lot of lines that said "Scanning File..." These said "Offending File Found".
Sat Oct 15 15:59:40 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Sat Oct 15 15:59:40 2005 => Loading Spyware Signatures from new External Database (Size: 145065).
Sat Oct 15 15:59:41 2005 => Indexed Spyware Databases Successfully Created...
Sat Oct 15 15:59:48 2005 => System found infected with smartfinder Spyware/Adware ({14913c42-fa8e-dbbc-21ea-6eb6ca2408bd})! Action taken: No Action Taken.
Sat Oct 15 15:59:49 2005 => System found infected with cws.homesearch Browser Hijacker ({2a970b79-1c8e-74b0-9d50-1086ec45a27f})! Action taken: No Action Taken.
Sat Oct 15 15:59:51 2005 => System found infected with smartfinder Spyware/Adware ({4a7621f7-51a8-8816-226b-81ee72e669cf})! Action taken: No Action Taken.
Sat Oct 15 15:59:52 2005 => System found infected with cws.homesearch Browser Hijacker ({4cba789a-410f-4b5a-0da6-9c0cb83bb92a})! Action taken: No Action Taken.
Sat Oct 15 15:59:55 2005 => System found infected with istbar Spyware/Adware ({000007c6-17df-4438-92a4-de5537471ba3})! Action taken: No Action Taken.
Sat Oct 15 16:00:04 2005 => Offending file found: C:\WINDOWS\kwv2.dat
Sat Oct 15 16:00:04 2005 => System found infected with aurora Spyware/Adware (kwv2.dat)! Action taken: No Action Taken.
Sat Oct 15 16:00:04 2005 => Offending file found: C:\WINDOWS\msmm.exe
Sat Oct 15 16:00:04 2005 => System found infected with clientman Spyware/Adware (msmm.exe)! Action taken: No Action Taken.
Sat Oct 15 16:00:05 2005 => Offending file found: C:\WINDOWS\system32\inneradinstall.log
Sat Oct 15 16:00:05 2005 => System found infected with spediabar Spyware/Adware (inneradinstall.log)! Action taken: No Action Taken.
Sat Oct 15 16:00:06 2005 => Offending file found: C:\WINDOWS\system32\msrev23.dll
Sat Oct 15 16:00:06 2005 => System found infected with ezula Spyware/Adware (msrev23.dll)! Action taken: No Action Taken.
Sat Oct 15 16:00:06 2005 => Offending file found: C:\WINDOWS\system32\msrev43.dll
Sat Oct 15 16:00:06 2005 => System found infected with ezula Spyware/Adware (msrev43.dll)! Action taken: No Action Taken.
Sat Oct 15 16:00:07 2005 => Offending Folder found: C:\Documents and Settings\Karen\Application Data\lycos\sidesearch
Sat Oct 15 16:00:07 2005 => Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Sat Oct 15 16:00:11 2005 => Offending Folder found: C:\Documents and Settings\Karen\Application Data\weatherbug
Sat Oct 15 16:00:11 2005 => Object "weatherbug Spyware/Adware" found in File System! Action Taken: No Action Taken.
Sat Oct 15 16:00:16 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\4d0r4noj\ads[1].htm
Sat Oct 15 16:00:16 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Sat Oct 15 16:00:17 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\6ps7yxax\common[1].js
Sat Oct 15 16:00:17 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:18 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\6ps7yxax\index[1].html
Sat Oct 15 16:00:18 2005 => System found infected with whenu.savenow Spyware/Adware (index[1].html)! Action taken: No Action Taken.
Sat Oct 15 16:00:19 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\c1sh27od\show_ads[2].js
Sat Oct 15 16:00:19 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:20 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\conq6mk5\stylesheet[1].css
Sat Oct 15 16:00:20 2005 => System found infected with whenu.savenow Spyware/Adware (stylesheet[1].css)! Action taken: No Action Taken.
Sat Oct 15 16:00:20 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\conq6mk5\s_code[1].js
Sat Oct 15 16:00:20 2005 => System found infected with whenu.savenow Spyware/Adware (s_code[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:21 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\fawzf541\ads[1].htm
Sat Oct 15 16:00:21 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Sat Oct 15 16:00:22 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\fawzf541\formie[1].css
Sat Oct 15 16:00:22 2005 => System found infected with whenu.savenow Spyware/Adware (formie[1].css)! Action taken: No Action Taken.
Sat Oct 15 16:00:23 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\iru2a7gy\pop[1].htm
Sat Oct 15 16:00:23 2005 => System found infected with whenu.savenow Spyware/Adware (pop[1].htm)! Action taken: No Action Taken.
Sat Oct 15 16:00:23 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temp\temporary internet files\content.ie5\iru2a7gy\s_code[1].js
Sat Oct 15 16:00:23 2005 => System found infected with whenu.savenow Spyware/Adware (s_code[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:25 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\01qzklmj\common[1].js
Sat Oct 15 16:00:25 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:25 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\2w8npxwd\common[1].js
Sat Oct 15 16:00:25 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:25 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\37xrb9g8\common[1].js
Sat Oct 15 16:00:25 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:26 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\4swal70h\common[1].js
Sat Oct 15 16:00:26 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:26 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\8deb8t2j\common[1].js
Sat Oct 15 16:00:26 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:26 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\8ly70xa7\common[1].js
Sat Oct 15 16:00:26 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:26 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\8lyn85qv\common[1].js
Sat Oct 15 16:00:26 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:27 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\cxqlulgh\common[1].js
Sat Oct 15 16:00:27 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:28 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\ihvw9o3a\common[1].js
Sat Oct 15 16:00:28 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:31 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\qpbc94rm\show_ads[2].js
Sat Oct 15 16:00:31 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:31 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\sjpvuazl\common[1].js
Sat Oct 15 16:00:31 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:32 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\ushjni17\common[1].js
Sat Oct 15 16:00:32 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:33 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\w3vf2w11\common[1].js
Sat Oct 15 16:00:33 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:33 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\wdirsdqn\common[1].js
Sat Oct 15 16:00:33 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:34 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\xaz11ewi\common[1].js
Sat Oct 15 16:00:34 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:34 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\xaz11ewi\global[1].js
Sat Oct 15 16:00:34 2005 => System found infected with redv Spyware/Adware (global[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:35 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\content.ie5\y1rkpwnu\common[1].js
Sat Oct 15 16:00:35 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:35 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\temporary internet files\search.html
Sat Oct 15 16:00:35 2005 => System found infected with whenu.sidefinder Spyware/Adware (search.html)! Action taken: No Action Taken.
Sat Oct 15 16:00:35 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\01qzklmj\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\2w8npxwd\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\37xrb9g8\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\4swal70h\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\8deb8t2j\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\8ly70xa7\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\8lyn85qv\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\cxqlulgh\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\ihvw9o3a\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\qpbc94rm\show_ads[2].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\sjpvuazl\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\ushjni17\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\w3vf2w11\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:36 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\wdirsdqn\common[1].js
Sat Oct 15 16:00:36 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:37 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\xaz11ewi\common[1].js
Sat Oct 15 16:00:37 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:37 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\xaz11ewi\global[1].js
Sat Oct 15 16:00:37 2005 => System found infected with redv Spyware/Adware (global[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:37 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\content.ie5\y1rkpwnu\common[1].js
Sat Oct 15 16:00:37 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.
Sat Oct 15 16:00:37 2005 => Offending file found: C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\search.html
Sat Oct 15 16:00:37 2005 => System found infected with whenu.sidefinder Spyware/Adware (search.html)! Action taken: No Action Taken.
Sat Oct 15 16:00:38 2005 => Offending file found: C:\Documents and Settings\All Users\Application Data\intuit\quicken\inet\common\pnf\pas\install.ht m
Sat Oct 15 16:00:38 2005 => System found infected with lop.com Spyware/Adware (install.htm)! Action taken: No Action Taken.
Sat Oct 15 16:00:52 2005 => Offending file found: C:\Documents and Settings\All Users\Application Data\symantec\common client\settings.dat
Sat Oct 15 16:00:52 2005 => System found infected with cydoor.topicks.a Spyware/Adware (settings.dat)! Action taken: No Action Taken.
Budfred
10-15-2005, 06:13 PM
Please STOP... Do NOT post any more of that... It is the bottom window of the dialogue that contains the bad files and that is MUCH shorter... As I said in the instructions, you can actually leave out any that don't begin with the word FILE....
I'm trying to figure out how to delete those long posts...can't seem to do it.
Budfred
10-15-2005, 10:06 PM
Don't worry about deleting the other ones, just post the part that we need to see....
File C:\WINDOWS\addom32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\addzp32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\apiew32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\appxm32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\atlrk.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\d3aa32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\d3to.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\iedz.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\ieyv.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\iezf32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\javaoj.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\mfcpx32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\msmr.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\netcb.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\nethb32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\netra32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\ntss.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\n_ibunfs.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\n_wcaogv.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\n_zstxxj.txt infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sdkfj.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sdksx.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sysur.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\addfi.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\addpi.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\addtr32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apibp32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apivn32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apiys.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\appti32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apptj.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\atllu32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3nx.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3yc.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\iema.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipex32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipim.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipiy32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipjb32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipmc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfcyu.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfcyw.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntog.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntrx.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sdkqn.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sdkue.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysbp32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Karen\LOCALS~1\Temp\ImInstaller\Incred iMail\imloader.exe tagged as not-a-virus:Downloader.Win32.ImLoader.b. No Action Taken.
Budfred
10-16-2005, 02:16 AM
Okay, you still have a mess there... Please download KillBox and then copy/paste that list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It could have a problem if the first file doesn't actually exist, but otherwise it should kill them on reboot...
http://www.atribune.org/downloads/KillBox.exe
Once you finish, please run MWav again and post a fresh log from it as well as an update on how things are going...
I finished the MWav scan & it will not let me "copy" again. I compared the latest scan to the last post I made and they are the same.
I just wondered if I was supposed to paste the "entire list", meaning everything that came up in the bottom window, or just the ones starting with "File", in KillBox. I did just the "File" ones.
Budfred
10-16-2005, 09:50 PM
Did you use Ctrl-C to copy the list from the MWavScan?? That is the only way to copy it...
We will address those files the hard way...
Copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...
C:\WINDOWS\addom32.exe
C:\WINDOWS\addzp32.exe
C:\WINDOWS\apiew32.exe
C:\WINDOWS\appxm32.exe
C:\WINDOWS\atlrk.exe
C:\WINDOWS\d3aa32.exe
C:\WINDOWS\d3to.exe
C:\WINDOWS\iedz.exe
C:\WINDOWS\ieyv.exe
C:\WINDOWS\iezf32.exe
C:\WINDOWS\javaoj.exe
C:\WINDOWS\mfcpx32.exe
C:\WINDOWS\msmr.exe
C:\WINDOWS\netcb.exe
C:\WINDOWS\nethb32.exe
C:\WINDOWS\netra32.exe
C:\WINDOWS\ntss.exe
C:\WINDOWS\n_ibunfs.log
C:\WINDOWS\n_wcaogv.dat
C:\WINDOWS\n_zstxxj.txt
C:\WINDOWS\sdkfj.exe
C:\WINDOWS\sdksx.exe
C:\WINDOWS\sysur.exe
C:\WINDOWS\system32\addfi.exe
C:\WINDOWS\system32\addpi.exe
C:\WINDOWS\system32\addtr32.exe
C:\WINDOWS\system32\apibp32.exe
C:\WINDOWS\system32\apivn32.exe
C:\WINDOWS\system32\apiys.exe
C:\WINDOWS\system32\appti32.exe
C:\WINDOWS\system32\apptj.exe
C:\WINDOWS\system32\atllu32.exe
C:\WINDOWS\system32\d3nx.exe
C:\WINDOWS\system32\d3yc.exe
C:\WINDOWS\system32\iema.exe
C:\WINDOWS\system32\ipex32.exe
C:\WINDOWS\system32\ipim.exe
C:\WINDOWS\system32\ipiy32.exe
C:\WINDOWS\system32\ipjb32.exe
C:\WINDOWS\system32\ipmc32.exe
C:\WINDOWS\system32\mfcyu.exe
C:\WINDOWS\system32\mfcyw.exe
C:\WINDOWS\system32\ntog.exe
C:\WINDOWS\system32\ntrx.exe
C:\WINDOWS\system32\sdkqn.exe
C:\WINDOWS\system32\sdkue.exe
C:\WINDOWS\system32\sysbp32.exeC:\DOCUME~1\Karen\L OCALS~1\Temp\ImInstaller\Incred iMail\imloader.exe
Reboot and run an online virus scan from HouseCall (link in my signature)... Reboot again and run a fresh MWavScan and post the log...
I did try "Ctrl-C" and it wouldn't copy. It did the same thing the first time I scanned. Then the next time it let me copy.
I just tried Killbox again in Safe Mode. It would only let me put the first 12 files in the line. When I tried the next one, all I got was "C:\WI" - like it was out of room.
(I thought it took the whole list the first time I did this, but when I looked at the log, I see that it only took the first one.)
WIll it do any good to do 12 at a time? And if it does, do I need to reboot between each set?
Budfred
10-17-2005, 08:59 PM
You don't need to reboot each time, it actually isn't a good idea to... You do need to enter each one either 12 at a time or even one at a time if needed...
When you try to copy it, are you highlighting it all first?? You then use Ctrl-C and then Paste immediately into a Notepad file...
I tried this about three times and it looks like the same results. The first time I ran the Housecall scan it found 18 spywares. I chose "remove" and it didn't find any the next time.
After I put all the files in Killbox and chose to reboot, I get this message:
PendingFileRenameOperations Registry Data has been Removed by External Process!
Is that a normal part of the process, or a problem?
(MWav is letting me copy now. A few times before, it wouldn't even let me highlight to copy)
File C:\WINDOWS\addom32.exe
File C:\WINDOWS\addzp32.exe
File C:\WINDOWS\appxm32.exe
File C:\WINDOWS\atlrk.exe
File C:\WINDOWS\d3aa32.exe
File C:\WINDOWS\d3to.exe
File C:\WINDOWS\iedz.exe
File C:\WINDOWS\ieyv.exe
File C:\WINDOWS\iezf32.exe
File C:\WINDOWS\javaoj.exe
File C:\WINDOWS\mfcpx32.exe
File C:\WINDOWS\msmr.exe
File C:\WINDOWS\netcb.exe
File C:\WINDOWS\nethb32.exe
File C:\WINDOWS\netra32.exe
File C:\WINDOWS\ntss.exe
File C:\WINDOWS\n_ibunfs.log
File C:\WINDOWS\n_wcaogv.dat
File C:\WINDOWS\n_zstxxj.txt
File C:\WINDOWS\sdkfj.exe
File C:\WINDOWS\sdksx.exe
File C:\WINDOWS\sysur.exe
File C:\WINDOWS\system32\addfi.exe
File C:\WINDOWS\system32\addpi.exe
File C:\WINDOWS\system32\apivn32.exe
File C:\WINDOWS\system32\apiys.exe
File C:\WINDOWS\system32\appti32.exe
File C:\WINDOWS\system32\apptj.exe
File C:\WINDOWS\system32\atllu32.exe
File C:\WINDOWS\system32\d3nx.exe
File C:\WINDOWS\system32\d3yc.exe
File C:\WINDOWS\system32\iema.exe
File C:\WINDOWS\system32\ipex32.exe
File C:\WINDOWS\system32\ipiy32.exe
File C:\WINDOWS\system32\ipjb32.exe
File C:\WINDOWS\system32\ipmc32.exe
File C:\WINDOWS\system32\mfcyu.exe
File C:\WINDOWS\system32\mfcyw.exe
File C:\WINDOWS\system32\ntog.exe
File C:\WINDOWS\system32\sdkqn.exe
File C:\WINDOWS\system32\sdkue.exe
File C:\WINDOWS\system32\sysbp32.exe
File C:\DOCUME~1\Karen\LOCALS~1\Temp\ImInstaller\Incred iMail\imloader.exe
Budfred
10-23-2005, 02:25 AM
I believe this means that the first item in the list is not there, so do them one at a time:
PendingFileRenameOperations Registry Data has been Removed by External Process!
I am not sure why you posted that list... It appears to be the one that I posted for you...
If you have rebooted, you may have more new files for us to find and kill...
Those are the items that came up in the last MWav scan.
Budfred
10-23-2005, 10:56 AM
It is a good idea to post the actual scan data rather than the distilled list.... Did you go through and try to KillBox each of those individually??
This is the actual part I copied. I tried putting them in Killbox as many as would fit at a time, & all of them (the list you posted) at a time. I tried several different ways - but I don't think I did them all one at a time. I will try that. I just have to "kill" each one then reboot after they have all been entered?
File C:\WINDOWS\addom32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\addzp32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\appxm32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\atlrk.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\d3aa32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\d3to.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\iedz.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\ieyv.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\iezf32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\javaoj.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\mfcpx32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\msmr.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\netcb.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\nethb32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\netra32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\ntss.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\n_ibunfs.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\n_wcaogv.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\n_zstxxj.txt infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sdkfj.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sdksx.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\sysur.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\addfi.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\addpi.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apivn32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apiys.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\appti32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\apptj.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\atllu32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3nx.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3yc.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\iema.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipex32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipiy32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipjb32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipmc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfcyu.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfcyw.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntog.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sdkqn.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sdkue.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysbp32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Karen\LOCALS~1\Temp\ImInstaller\Incred iMail\imloader.exe tagged as not-a-virus:Downloader.Win32.ImLoader.b. No Action Taken.
Budfred
10-23-2005, 04:58 PM
You should be able to enter each one individually and then reboot at the end to kill them...
I finally got time to try entering them one at a time. I ran the MWav again and didn't get anything that started with "File". (This was a few days ago - I haven't done it again)
There were still a lot of entries that start "Object...found in file system..." and "Entry...refers to invalid object..."
Some, but not all of the ones I killed were listed:
Entry "HKCR..." refers to invalid object "C:\WINDOWS\addom32.exe". Action Taken: No Action Taken.
Budfred
10-29-2005, 08:34 PM
The others can be cleaned up with a Registry cleaner, but the Files items are the only ones to worry about... Post a fresh HJT log and update on how your system is running so we can make sure you are all cleaned up...
Logfile of HijackThis v1.99.1
Scan saved at 4:40:24 PM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127086446\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Karen\Application Data\Mozilla\Profiles\default\f8yiyc95.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127086446\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126214600187[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/controls/msnchat45.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pop-Up Stopper Anti-Spyware Service (PWISVC) - Panicware, Inc. - C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWISVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Most things seem to be running great.
I have a few little problems with Firefox and have to use IE for some sites. (like running the Housecall Online AV & posting to an MSN Group) I downloaded IESpyads, but I can't really tell if it's doing anything.
I also downloaded the Sygate firewall and am trying to get used to it. Some things it asks if I want to block I'm sure not about.
The only other thing that just started a couple of days ago is my Outlook Express isn't able to access my mail. I'll probably just try to reboot to see iif that's takes care of it.
And, the other day the "NoScript" thing wouldn't show up when I right-clicked. At the same time my imported Favorties were gone & when I tried to import them again, the folder was empty. Both of those things cleared themselves up, though.
That's all I can think of.
Budfred
10-31-2005, 10:53 PM
I have a few little problems with Firefox and have to use IE for some sites. (like running the Housecall Online AV & posting to an MSN Group) I downloaded IESpyads, but I can't really tell if it's doing anything.This is normal... MS does not want people to be able to access their sites in a competitors browser, so they make it difficult... HouseCall does have a version that will run on FF, but you have to look for it...
The only other thing that just started a couple of days ago is my Outlook Express isn't able to access my mail. I'll probably just try to reboot to see iif that's takes care of it.It may need to be Repaired or reinstalled... Some of the malware and possibly even some of the fixes may have corrupted it... Malware digs in deep and it is not always possible to get it out without damage...
Overall it sounds like you may be cleaned up... Good!! Here is my prevention speech to help prevent getting reinfected...
This is a good time to set up protection against further
attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a
good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads.
All of these have good free versions available... be very
cautious about any security software that advertises in
popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....
http://www.computercops.biz/postlite7736-.html
I have SpywareBlaster & IESpayads, but I didn't download them until after these problems started. Hopefully they will work from here out. I also have Spybot, Panicware Pop-Up Stopper & Microsoft Anti-Spyware.
I downloaded the Sygate Firewall. I clicked on their "Security Test" button and it said I had 2 "closed" ports and 1 "open", but didn't tell me how to fix it. (It also said if I was using router, which I am, it may be checking that instead of my computer)
I don't think I have ever even clicked on a pop-up window, let alone download something - but that doesn't mean my "kids" haven't. (I think they would ask before actually downloading anything.)
I can't thank you guys enough for all your help. This has taken up so much time, which I don't have enough of already. I hope I don't have to bother you any more about this!
Thanks!
Budfred
11-01-2005, 09:52 PM
If you are careful and keep your kids careful, it is likely that you will be okay with protections in place... I assume you are still using Norton antivirus as well... Good luck...
classicsoftware
11-01-2005, 11:55 PM
Go here (https://www.grc.com/x/ne.dll?bh0bkyd2) to check your internet security level.
I went to your link and their scan shows one port "closed" and the rest "stealth".
classicsoftware
11-05-2005, 04:29 PM
Which port was open? Stealth is excellent.
Port 113 - IDENT: Closed
"Your computer has responded that this port exists but is currently closed to connections."
The result also showed "Ping Reply: RECEIVED (FAILED)"
classicsoftware
11-12-2005, 09:56 PM
Read this (http://www.grc.com/port_113.htm) You are fine....
I noticed that Spybot is still finding CoolWWWSearch files.
CoolWWWSearch.Feat2Installer
C:\WINDOWS\veeot.txt
C:\WINDOWS\pxydt.txt
C:\WINDOWS\pwjqy.txt
C:\WINDOWS\dinhj.txt
Also, I have a bunch of strange looking folders in my Windows directory (67 of them) One of them starts with "$hf...", two are "$M..." and the rest start with "$NT". Does this have anything to do with my previous problems, or are these normal? I never noticed them before a few weeks ago.
Budfred
11-24-2005, 09:36 PM
Have you tried deleting those files?? If not, do so and see if Spybot still picks anything up...
Those folders seem to be legit... I don't have any with $M, but I have the others... If you are unsure, post more detail about the $M folders...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.