Hijacked by popups, hopefully a quick fix; log inside

lotuz · 03-17-2005, 09:10 PM

I just started getting hijacked today after visiting a site to check out some song lyrics. I've run Spybot and AdAware, as well as HJT. Here is the log:

Logfile of HijackThis v1.99.0
Scan saved at 11:09:56 PM, on 3/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\nlsdntld.exe
C:\windows\system32\jjqznhqv.exe
C:\Program Files\Tweak-XP\blads.exe
C:\WINDOWS\System32\objuinit.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\windows\system32\calc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [axazojgx] C:\WINDOWS\axazojgx.exe
O4 - HKLM\..\Run: [47Fg37j] nlsdntld.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

MicroBell · 03-18-2005, 01:44 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\System32\nlsdntld.exe
C:\windows\system32\jjqznhqv.exe
C:\WINDOWS\System32\objuinit.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O4 - HKLM\..\Run: [axazojgx] C:\WINDOWS\axazojgx.exe
O4 - HKLM\..\Run: [47Fg37j] nlsdntld.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\System32\nlsdntld.exe
C:\windows\system32\jjqznhqv.exe
C:\WINDOWS\System32\objuinit.exe
C:\WINDOWS\Pynix.dll
C:\WINDOWS\axazojgx.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\wupdt.exe

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. Once your clean you can enable system restore again.

lotuz · 03-18-2005, 01:03 PM

Alrighty, here's the new log:

Logfile of HijackThis v1.99.0
Scan saved at 3:03:06 PM, on 3/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for the help thus far!

greyknight17 · 03-18-2005, 02:09 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\Pynix.dll
C:\WINDOWS\systb.dll
objuinit.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

lotuz · 03-21-2005, 12:46 AM

Thanks for the help so far. One snag - one of my friends used my computer today and now I'm totally bogged down with crap. He's on the new "no-list." I spent the first fifteen minutes after rebooting unsuccessfully trying to uninstall "Virtual Bouncer" and "Ad-Somethingsomething"...

Here's the new log, repleat with popup goodness:

Log was analyzed using HijackThis Analyzer - Updated on 12/1/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.99.0
Scan saved at 2:43:43 AM, on 3/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system\mmedx.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\System32\ilsut.exe
C:\WINDOWS\System32\ipx3d2ag.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\Tim\Application Data\twia.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\system32\w?nlogon.exe
C:\windows\system32\jjqznhqv.exe
C:\windows\system32\packager.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/
R3 - Default URLSearchHook is missing
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\ELITET~1\ELITET~2.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteifc32.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [47Fg37j] ipx3d2ag.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [LwwmRXH5e] ilsut.exe
O4 - HKCU\..\Run: [Waaa] C:\Documents and Settings\Tim\Application Data\twia.exe
O4 - HKCU\..\Run: [Knmhkgm] C:\WINDOWS\System32\w?nlogon.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50252/QDow_AS2.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

End of HijackThis Analyzer Log.

Thanks for your continuing patience.

CTSNKY · 03-21-2005, 07:12 PM

I think we can do without all of the "crap" references.......thanks.

==============

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system\mmedx.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\ilsut.exe
C:\WINDOWS\System32\ipx3d2ag.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\Tim\Application Data\twia.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\system32\w?nlogon.exe
C:\windows\system32\jjqznhqv.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

AutoUpdate
CxtPls
EliteBar
Media Access

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\ELITET~1\ELITET~2.DLL
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteifc32.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [47Fg37j] ipx3d2ag.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [LwwmRXH5e] ilsut.exe
O4 - HKCU\..\Run: [Waaa] C:\Documents and Settings\Tim\Application Data\twia.exe
O4 - HKCU\..\Run: [Knmhkgm] C:\WINDOWS\System32\w?nlogon.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\Tim\Application Data\twia.exe
C:\Program Files\AutoUpdate\
C:\Program Files\CxtPls\
C:\Program Files\Media Access\
C:\WINDOWS\ceres.dll
C:\WINDOWS\ELITET (something…..folder name)
C:\WINDOWS\farmmext.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\system\mmedx.exe
C:\WINDOWS\System32\cxtpls_loader.exe
c:\windows\system32\eliteifc32.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\ilsut.exe
C:\WINDOWS\System32\ipx3d2ag.exe
C:\windows\system32\jjqznhqv.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\system32\w?nlogon.exe
C:\WINDOWS\System32\wintask.exe

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

===========

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

lotuz · 03-22-2005, 01:10 AM

Alright, here's the newest HJT log:

Log was analyzed using HijackThis Analyzer - Updated on 12/1/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.99.0
Scan saved at 3:08:44 AM, on 3/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\system32\w?nlogon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/
O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

End of HijackThis Analyzer Log.

and here's the other log:

00:58:50 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
00:58:50 [Init] Started 22-03-05 00:58:50 Eastern Standard Time (UTC: 5), Internet Time @290.86
00:58:50 [Init] Loading TDS-3 Systems ...
00:58:50 [Init] Token successfully adjusted.
00:58:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
00:58:51 [Init] • Plugins : OK. Loaded 13
00:58:51 [Init] • Exec Protection : Not Installed
00:58:51 [Init] WARNING: Your Radius.TD3 database needs to be updated!
00:58:51 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
00:58:51 [Init] Licensed users can use the Update facility from the TDS menu
00:58:51 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
00:58:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
00:58:59 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
00:58:59 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
00:58:59 [Init] TDS-3 Ready. <Tim@131.247.157.87, 127.0.0.1 - United States>
00:58:59 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control
00:58:59 [TDS] Good morning Tim. It's getting late, aren't you sleepy yet?
00:59:05 [Mutex Memory Scan] Started...
00:59:07 [Mutex Memory Scan] Finished (no trojan mutexes found).
00:59:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
00:59:24 [CRC32] Started - verifying 29 files ...
00:59:25 [CRC32] File doesn't exist: C:\autoexec.bat
00:59:39 [CRC32] Test finished.
01:00:12 [Memory Scan] Memory scan started, please wait a moment ...
01:00:13 [Memory Scan] Memory scan complete.
01:00:13 [Mutex Memory Scan] Started...
01:00:14 [Mutex Memory Scan] Finished (no trojan mutexes found).
01:00:14 [Trace Scan] Started...
01:00:23 [Trace Scan] Finished.
01:00:23 [Service\Driver Scan] Scanning for services and drivers ...
01:00:28 [Service\Driver Scan] Scanned 314 services and drivers.
01:00:28 [File Scan] Scanning in A:\ ...
01:00:29 [File Scan] Scanned 0 files: 0 alarms in 1.031006 seconds (Avg 1. files/sec)
01:00:29 [File Scan] Scanning in C:\ ...
02:36:12 [Locked File] Couldn't open c:\windows\system32\w?nlogon.exe for read access, file is locked
02:44:57 [TDS] Good morning Tim. Would you like a coffee?
02:46:15 [File Scan] Scanned 107744 files: 16 alarms in 6345.5 seconds (Avg 17.98 files/sec)
02:46:15 [File Scan] Scanning in D:\ ...
02:46:15 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec)
02:46:15 [File Scan] Scanning in E:\ ...
02:46:17 [File Scan] Scanned 1491 files: 16 alarms in 2.15625 seconds (Avg 692.48 files/sec)
02:46:17 [File Scan] Scanning in F:\ ...
02:46:17 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec)
02:46:17 [Scan] Finished.
02:49:02 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt
02:49:51 [Screen Text] Saved to C:\Program Files\TDS3\scr1.txt
02:49:53 [Quit] Unloading ...

Thanks, again.

I'm sorry if I offended anyone with my language - it wasn't my intention.

MicroBell · 03-23-2005, 12:57 AM

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\system32\w?nlogon.exe

Run hijackthis and fix this entry..

O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll

C:\WINDOWS\System32\aoop.dll <--delete that file
C:\WINDOWS\system32\w?nlogon.exe <--delete that file. Make sure you get the one with the ? in it and NOT the legit named one.

Delete the 16 alarms that TDS-3 tagged as positive. Repost another hijackthis log when finished. If your not sure about the TDS-3 entrys...copy and paste everything found in the bottom window and post it here.

lotuz · 03-23-2005, 02:46 PM

Here's the latest log:

Logfile of HijackThis v1.99.0
Scan saved at 4:45:32 PM, on 3/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for everything so far!

greyknight17 · 03-24-2005, 07:23 AM

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

lotuz · 03-24-2005, 01:25 PM

Thanks again!

03-17-2005, 09:10 PM	#1 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Hijacked by popups, hopefully a quick fix; log inside I just started getting hijacked today after visiting a site to check out some song lyrics. I've run Spybot and AdAware, as well as HJT. Here is the log: Logfile of HijackThis v1.99.0 Scan saved at 11:09:56 PM, on 3/17/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\WINDOWS\System32\nlsdntld.exe C:\windows\system32\jjqznhqv.exe C:\Program Files\Tweak-XP\blads.exe C:\WINDOWS\System32\objuinit.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\windows\system32\calc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe C:\Program Files\Speed Disk\nopdb.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/ O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [axazojgx] C:\WINDOWS\axazojgx.exe O4 - HKLM\..\Run: [47Fg37j] nlsdntld.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

03-18-2005, 01:44 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\System32\nlsdntld.exe C:\windows\system32\jjqznhqv.exe C:\WINDOWS\System32\objuinit.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll O4 - HKLM\..\Run: [axazojgx] C:\WINDOWS\axazojgx.exe O4 - HKLM\..\Run: [47Fg37j] nlsdntld.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\System32\nlsdntld.exe C:\windows\system32\jjqznhqv.exe C:\WINDOWS\System32\objuinit.exe C:\WINDOWS\Pynix.dll C:\WINDOWS\axazojgx.exe C:\WINDOWS\farmmext.exe C:\WINDOWS\wupdt.exe Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. Once your clean you can enable system restore again. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

03-18-2005, 02:09 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing) O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\Pynix.dll C:\WINDOWS\systb.dll objuinit.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-21-2005, 07:12 PM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	I think we can do without all of the "crap" references.......thanks. ============== Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\Media Access\MediaAccK.exe C:\WINDOWS\system\mmedx.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINDOWS\System32\ilsut.exe C:\WINDOWS\System32\ipx3d2ag.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\Documents and Settings\Tim\Application Data\twia.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\system32\w?nlogon.exe C:\windows\system32\jjqznhqv.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: AutoUpdate CxtPls EliteBar Media Access Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R3 - Default URLSearchHook is missing O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\ELITET~1\ELITET~2.DLL O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteifc32.exe O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded O4 - HKLM\..\Run: [47Fg37j] ipx3d2ag.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKCU\..\Run: [LwwmRXH5e] ilsut.exe O4 - HKCU\..\Run: [Waaa] C:\Documents and Settings\Tim\Application Data\twia.exe O4 - HKCU\..\Run: [Knmhkgm] C:\WINDOWS\System32\w?nlogon.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Documents and Settings\Tim\Application Data\twia.exe C:\Program Files\AutoUpdate\ C:\Program Files\CxtPls\ C:\Program Files\Media Access\ C:\WINDOWS\ceres.dll C:\WINDOWS\ELITET (something…..folder name) C:\WINDOWS\farmmext.exe C:\WINDOWS\farmmext.ini C:\WINDOWS\system\mmedx.exe C:\WINDOWS\System32\cxtpls_loader.exe c:\windows\system32\eliteifc32.exe C:\WINDOWS\System32\exp.exe C:\WINDOWS\System32\ilsut.exe C:\WINDOWS\System32\ipx3d2ag.exe C:\windows\system32\jjqznhqv.exe C:\WINDOWS\System32\pacis.exe C:\WINDOWS\system32\w?nlogon.exe C:\WINDOWS\System32\wintask.exe Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. =========== Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ GO BIG BLUE!!

03-23-2005, 12:57 AM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\system32\w?nlogon.exe Run hijackthis and fix this entry.. O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll C:\WINDOWS\System32\aoop.dll <--delete that file C:\WINDOWS\system32\w?nlogon.exe <--delete that file. Make sure you get the one with the ? in it and NOT the legit named one. Delete the 16 alarms that TDS-3 tagged as positive. Repost another hijackthis log when finished. If your not sure about the TDS-3 entrys...copy and paste everything found in the bottom window and post it here. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 03-23-2005 at 12:59 AM.

03-18-2005, 01:03 PM	#3 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Alrighty, here's the new log: Logfile of HijackThis v1.99.0 Scan saved at 3:03:06 PM, on 3/18/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\Tweak-XP\blads.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\HJT\HijackThis.exe C:\WINDOWS\system32\ati2sgag.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/ O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing) O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - HKCU\..\Run: [LwwmRXH5e] objuinit.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks for the help thus far!

03-21-2005, 12:46 AM	#5 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Thanks for the help so far. One snag - one of my friends used my computer today and now I'm totally bogged down with crap. He's on the new "no-list." I spent the first fifteen minutes after rebooting unsuccessfully trying to uninstall "Virtual Bouncer" and "Ad-Somethingsomething"... Here's the new log, repleat with popup goodness: Log was analyzed using HijackThis Analyzer - Updated on 12/1/04 Get updates at http://www.greyknight17.com/download.htm#programs Logfile of HijackThis v1.99.0 Scan saved at 2:43:43 AM, on 3/21/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\exp.exe C:\WINDOWS\System32\wintask.exe C:\Program Files\Media Access\MediaAccK.exe C:\WINDOWS\system\mmedx.exe C:\Program Files\Tweak-XP\blads.exe C:\Program Files\Media Access\MediaAccess.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe C:\WINDOWS\System32\ilsut.exe C:\WINDOWS\System32\ipx3d2ag.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\Documents and Settings\Tim\Application Data\twia.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\system32\w?nlogon.exe C:\windows\system32\jjqznhqv.exe C:\windows\system32\packager.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/ R3 - Default URLSearchHook is missing O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\ELITET~1\ELITET~2.DLL O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [jjqznhqv] c:\windows\system32\jjqznhqv.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteifc32.exe O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded O4 - HKLM\..\Run: [47Fg37j] ipx3d2ag.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - HKCU\..\Run: [LwwmRXH5e] ilsut.exe O4 - HKCU\..\Run: [Waaa] C:\Documents and Settings\Tim\Application Data\twia.exe O4 - HKCU\..\Run: [Knmhkgm] C:\WINDOWS\System32\w?nlogon.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50252/QDow_AS2.cab O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe End of HijackThis Analyzer Log. Thanks for your continuing patience.

03-22-2005, 01:10 AM	#7 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Alright, here's the newest HJT log: Log was analyzed using HijackThis Analyzer - Updated on 12/1/04 Get updates at http://www.greyknight17.com/download.htm#programs Logfile of HijackThis v1.99.0 Scan saved at 3:08:44 AM, on 3/22/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Tweak-XP\blads.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe C:\WINDOWS\system32\w?nlogon.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/ O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe End of HijackThis Analyzer Log. and here's the other log: 00:58:50 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 00:58:50 [Init] Started 22-03-05 00:58:50 Eastern Standard Time (UTC: 5), Internet Time @290.86 00:58:50 [Init] Loading TDS-3 Systems ... 00:58:50 [Init] Token successfully adjusted. 00:58:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 00:58:51 [Init] • Plugins : OK. Loaded 13 00:58:51 [Init] • Exec Protection : Not Installed 00:58:51 [Init] WARNING: Your Radius.TD3 database needs to be updated! 00:58:51 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 00:58:51 [Init] Licensed users can use the Update facility from the TDS menu 00:58:51 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 00:58:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 00:58:59 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 00:58:59 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 00:58:59 [Init] TDS-3 Ready. <Tim@131.247.157.87, 127.0.0.1 - United States> 00:58:59 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control 00:58:59 [TDS] Good morning Tim. It's getting late, aren't you sleepy yet? 00:59:05 [Mutex Memory Scan] Started... 00:59:07 [Mutex Memory Scan] Finished (no trojan mutexes found). 00:59:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 00:59:24 [CRC32] Started - verifying 29 files ... 00:59:25 [CRC32] File doesn't exist: C:\autoexec.bat 00:59:39 [CRC32] Test finished. 01:00:12 [Memory Scan] Memory scan started, please wait a moment ... 01:00:13 [Memory Scan] Memory scan complete. 01:00:13 [Mutex Memory Scan] Started... 01:00:14 [Mutex Memory Scan] Finished (no trojan mutexes found). 01:00:14 [Trace Scan] Started... 01:00:23 [Trace Scan] Finished. 01:00:23 [Service\Driver Scan] Scanning for services and drivers ... 01:00:28 [Service\Driver Scan] Scanned 314 services and drivers. 01:00:28 [File Scan] Scanning in A:\ ... 01:00:29 [File Scan] Scanned 0 files: 0 alarms in 1.031006 seconds (Avg 1. files/sec) 01:00:29 [File Scan] Scanning in C:\ ... 02:36:12 [Locked File] Couldn't open c:\windows\system32\w?nlogon.exe for read access, file is locked 02:44:57 [TDS] Good morning Tim. Would you like a coffee? 02:46:15 [File Scan] Scanned 107744 files: 16 alarms in 6345.5 seconds (Avg 17.98 files/sec) 02:46:15 [File Scan] Scanning in D:\ ... 02:46:15 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec) 02:46:15 [File Scan] Scanning in E:\ ... 02:46:17 [File Scan] Scanned 1491 files: 16 alarms in 2.15625 seconds (Avg 692.48 files/sec) 02:46:17 [File Scan] Scanning in F:\ ... 02:46:17 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec) 02:46:17 [Scan] Finished. 02:49:02 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt 02:49:51 [Screen Text] Saved to C:\Program Files\TDS3\scr1.txt 02:49:53 [Quit] Unloading ... Thanks, again. I'm sorry if I offended anyone with my language - it wasn't my intention.

03-23-2005, 02:46 PM	#9 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Here's the latest log: Logfile of HijackThis v1.99.0 Scan saved at 4:45:32 PM, on 3/23/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\Tweak-XP\blads.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe C:\Program Files\Speed Disk\nopdb.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/ O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks for everything so far!

03-24-2005, 07:23 AM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-24-2005, 01:25 PM	#11 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Thanks again!